top of page

Start working

from home

cloud upload gif.gif

Ready to move?



  • Cloudsis Email Archiver

Email Retention Policy & GDPR


Business is reliant on email – the information contained within emails has considerable importance to any business and as such having immediate, easy access to all original email content, whether sent or received is essential for many reasons.

Regulators and courts treat email messages as legal documents. Managing these email messages as business records ensure that we meet the burden of proof of regulations such as GDPR. These regulations require every corporate litigant to recognize, declare and produce emails in civil litigation.

Once we send an email, we have virtually no control over what happens to that message. It can be printed, forwarded, edited and changed dramatically, all without our knowledge or consent.

Another reason to retain emails are the so-called Data Subject Access requests. If your organisation is holding personal information about individuals then those people have the right to request access to this information – at no cost to the individual and ideally within 30 days of the request.

Has your business put the processes in place to satisfy regulators or arbitrary requests for such information?

By implementing a process that captures your organisations inbound and outbound email messages centrally, you can protect yourself against unwarranted claims and you can be ready to answer subject access requests immediately.

Hence the advent of email archiving solutions which capture, simultaneously index all email communications and provide extensive searching features allowing you to retrieve emails quickly based on any chosen criteria.

The questions that arise are:

  • How long should I be keeping emails? When can emails be deleted?

  • Do I comply with the requirements to adequately preserve and protect emails and to ensure their contents can be retrieve unaltered within a reasonable amount of time.

  • Can I have access to emails deleted by employees if required by courts or in case of civil litigation?

  • Can I respond to a GDPR data access request from a company/client /employee providing details of any personal data contained in emails stored by my organisation?

  • If they request this information to be deleted, does my company email retention policy indicate when and why can they be deleted?

All of these questions create the need for a solid email retention policy in which you have considered:

  • Time that emails are going to be retained and the archiving method used to keep every email secure.

  • How emails are going be indexed, stored, enabled, searched and exported in the event of a data request, audit or a civil/criminal legal case.

  • How emails are going to be retained unaltered during the necessary time to comply with regulation and when/how they are going to be automatically deleted to ensure GDPR compliance.

What is an email retention policy?

The basic and self-explanatory definition of email retention policy is:

“A policy that establishes how long an email should remain in your email archiving solution before being deleted automatically.”

The email retention policy should be governed by your corporate governance and comply with industry and government regulations. It should cover all emails sent or received by your organization and contain the guidelines for how long emails should be kept and how they should be removed from the email archiving solution.

One of the most important aspects of the email retention policy is that the management of retention of emails should be automatic. What this means to you is that emails should be removed from the system in a consistent manner without any manual intervention. This eliminates human error and decreases your liability significantly. The automation should also account for any pending cases before deleting any emails.