Sending sensitive business information by email without protection is like posting a confidential letter without sealing the envelope. Gmail’s confidential mode gives New Zealand businesses a practical way to password-protect emails containing client data, financial details, or legal documents. Here is how to use it and when your business needs to go further.
Why password-protecting business emails matters
Maintain control over sensitive information
Password-protected emails ensure only the intended recipient can access the content. This is critical for businesses sending contracts, invoices, tax documents, or client records where unauthorised access could result in a breach of the New Zealand Privacy Act 2025.
Reduce the impact of misdirected emails
Even careful staff occasionally send emails to the wrong address. Password protection adds a safety net: even if a message reaches the wrong inbox, the recipient cannot open the content without the SMS passcode. This mitigates one of the most common causes of accidental data exposure.
Demonstrate professionalism and compliance
Clients in regulated industries like legal, accounting, and insurance expect their information to be handled securely. Using password protection on sensitive emails signals that your business takes data security seriously and has proper protocols in place.
How to password-protect an email in Gmail
Step 1: Compose your email
Open Gmail and click “Compose” to create a new message. Add your recipient, subject line, and message content as normal.
Step 2: Enable confidential mode
Click the lock icon with a clock at the bottom of the compose window. This activates Gmail’s confidential mode, which restricts the recipient from forwarding, copying, printing, or downloading the email content.
Step 3: Set a passcode and expiry date
Choose “SMS passcode” to require the recipient to verify their identity via a code sent to their phone. Set an expiration date so the email automatically becomes inaccessible after a specified period. This is particularly useful for time-sensitive documents like quotes, contracts, or audit information.
Step 4: Send and manage access
Send the email as normal. You can revoke access at any time by opening the sent message and clicking “Remove access.” This gives you ongoing control over sensitive information even after it has been sent.
When Gmail confidential mode is not enough for your business
Gmail’s confidential mode is useful for individual emails, but it has limitations that matter for businesses:
- No true end-to-end encryption. Gmail confidential mode restricts actions but does not fully encrypt the email content in transit. Businesses with strict compliance requirements may need dedicated email encryption solutions.
- No centralised policy enforcement. Each staff member must remember to enable confidential mode manually. There is no way for administrators to enforce password protection on emails containing sensitive data across the organisation.
- Limited to Gmail users. If your team uses Microsoft 365 or another platform, Gmail confidential mode does not apply. A managed email protection service works across all email platforms and provides consistent security policies.
- No protection against inbound threats. Confidential mode protects outgoing emails but does nothing to filter phishing, malware, or spam coming into your inbox. Comprehensive email security requires both inbound and outbound protection.
A better approach to business email security
For New Zealand businesses handling client data regularly, a layered approach to email security is more effective than relying on confidential mode alone. This includes:
- Enterprise email encryption that works automatically based on content policies
- Inbound phishing and malware detection through managed email protection
- Staff security awareness training to reduce human error
- Data loss prevention rules that flag sensitive information before it leaves your network
Talk to OxygenIT about securing your business email. We provide managed email protection with encryption, phishing detection, and compliance controls tailored to New Zealand businesses.
Frequently Asked Questions
Is Gmail confidential mode the same as email encryption?
No. Gmail confidential mode restricts forwarding, copying, and printing, and can require an SMS passcode. However, it does not provide true end-to-end encryption. For businesses requiring full encryption, dedicated email protection services are necessary.
Can I password-protect attachments in Gmail?
Gmail confidential mode prevents recipients from downloading attachments, but does not password-protect the files themselves. For sensitive documents, consider encrypting files before attaching them or using a secure file-sharing platform with access controls.
Does password-protecting emails help with Privacy Act compliance?
It is one layer of protection, but Privacy Act compliance requires a broader approach including data handling policies, access controls, staff training, and incident response plans. An IT compliance partner can help ensure your business meets its full obligations.
What should I do if a password-protected email is sent to the wrong person?
Open the sent message in Gmail and click “Remove access” immediately to revoke the recipient’s ability to view the content. Then assess whether a notifiable privacy breach has occurred under the Privacy Act and follow your incident response procedures.
Should my business use Gmail or Microsoft 365 for email?
Both platforms have strong security features, but Microsoft 365 offers more advanced compliance, encryption, and administrative controls that are better suited to regulated industries. Microsoft 365 optimisation ensures your business gets the full security and productivity benefit from the platform.
