Heh, no idea what GDPR has to do with password protected attachments but this reminds me of a nifty customer that decided that NextCloud or KeePass files are way too complicated and simply dropped me required data in my HOME folder on the brand new server I was supposed to configure next day anyway. This I could access with my very own ssh key generated just for this purpose the day before. I had to admire the simplicity – and I needed that data on this server anyway 😀
Also auto-complete is a PITA on occasion. Looking at you Firefox.
Well, GDPR requires analysing and documenting flows of personal data. I can see how an organisation might choose to have a policy of password-protecting when data is transferred, so phrasing aside, it could sorta make sense.
They still need to read Schneier on security of algorithms and processes, though.