Email Retention Policy & GDPR
Business is reliant on email – the information contained within emails has considerable importance to any business and as such having immediate, easy access to all original email content, whether sent or received is essential for many reasons.
Regulators and courts treat email messages as legal documents. Managing these email messages as business records ensure that we meet the burden of proof of regulations such as GDPR. These regulations require every corporate litigant to recognize, declare and produce emails in civil litigation.
Once we send an email, we have virtually no control over what happens to that message. It can be printed, forwarded, edited and changed dramatically, all without our knowledge or consent.
Another reason to retain emails are the so-called Data Subject Access requests. If your organisation is holding personal information about individuals then those people have the right to request access to this information – at no cost to the individual and ideally within 30 days of the request.
Has your business put the processes in place to satisfy regulators or arbitrary requests for such information?
By implementing a process that captures your organisations inbound and outbound email messages centrally, you can protect yourself against unwarranted claims and you can be ready to answer subject access requests immediately.
Hence the advent of email archiving solutions which capture, simultaneously index all email communications and provide extensive searching features allowing you to retrieve emails quickly based on any chosen criteria.
The questions that arise are:
How long should I be keeping emails? When can emails be deleted?
Do I comply with the requirements to adequately preserve and protect emails and to ensure their contents can be retrieve unaltered within a reasonable amount of time.
Can I have access to emails deleted by employees if required by courts or in case of civil litigation?
Can I respond to a GDPR data access request from a company/client /employee providing details of any personal data contained in emails stored by my organisation?
If they request this information to be deleted, does my company email retention policy indicate when and why can they be deleted?
All of these questions create the need for a solid email retention policy in which you have considered:
Time that emails are going to be retained and the archiving method used to keep every email secure.
How emails are going be indexed, stored, enabled, searched and exported in the event of a data request, audit or a civil/criminal legal case.
How emails are going to be retained unaltered during the necessary time to comply with regulation and when/how they are going to be automatically deleted to ensure GDPR compliance.
What is an email retention policy?
The basic and self-explanatory definition of email retention policy is:
“A policy that establishes how long an email should remain in your email archiving solution before being deleted automatically.”
The email retention policy should be governed by your corporate governance and comply with industry and government regulations. It should cover all emails sent or received by your organization and contain the guidelines for how long emails should be kept and how they should be removed from the email archiving solution.
One of the most important aspects of the email retention policy is that the management of retention of emails should be automatic. What this means to you is that emails should be removed from the system in a consistent manner without any manual intervention. This eliminates human error and decreases your liability significantly. The automation should also account for any pending cases before deleting any emails.
Having an email archiving solution helps you in complying with your email retention policy. It would also assist you in automating your email retention policy.
Why do I need an Email Retention Policy?
It is evident from the previous section how important it is to have an email retention policy. There are 3 main reasons why you need a policy that would reduce your risk of liability from unforeseen circumstances.
Most companies have to comply with regulation which would require them to produce emails during an investigation or an audit. If the company was not able to disclose any required emails potentially the company could not only suffer financial loss, but its reputation could also be compromised. Different regulations apply to different industries. You need to be aware of any local, national or European regulation in relation to your industry.
In professional sectors where companies are heavily regulated, different rules will apply depending on the industry. For example, the Solicitors Regulation Authority requires a wide variety of records to be kept for six years, including records of transactions and commissions. In the financial sector, an email retention policy must make emails available for six years, according to the Financial Conduct Authority. In the UK, the Civil Procedure Rules make it possible to bring a claim for breach of contract within six years, and they also require companies to be ready for e-discovery for electronic records including email.
This alone should encourage a healthy corporate email retention policy. You should involve legal and management to find out what is your obligation to these regulations.
Discovery is a legal process that allows attorneys on both sides to ask for information that is relevant to a case and that may lead to the discovery of other important facts and information. Parties to a lawsuit are required to provide this information in the discovery phase of any case.
Judges and courts do not have a favourable view of those organisations that cannot produce these emails during the discovery process. In fact, if you cannot produce the needed emails, it could be construed as destruction of evidence.
Therefore, having an effective and operational email retention policy can assist your organization in any legal proceedings. For example, if you have a 3-year retention policy, then you will only be obligated to provide emails for the last three years and nothing beyond that.
On average, every user within an organization receives 125 emails per day, and the number is expected to increase to 125 by 2015. The information contained within these emails is not only general business correspondence but also includes documents which could be required for future projects.
More than 70% of an organization’s Intellectual Property resides in its stores of email. Accessibility of these knowledge-based emails is needed after an employee is either terminated or left your organization.
Retention Period Guidelines
This table provides an overview of document retention periods. It is not an exhaustive list and may be subject to change. The information should not be relied or acted upon without seeking the advice of a competent
Legal Hold Policy
Even with an operational email retention policy, there are times that you would need to make sure that the emails are not automatically deleted from your email archiving system. For this very occasion, the ability to have legal hold on emails will make sure that the emails are available for courts during a discovery phase in legal proceedings. Placing legal hold on all content in a user’s account or targeting specific accounts based on dates, subject and message text should be an essential part of your email retention policy.
Make sure that your email retention policy clearly states legal hold procedures. Important things to note:
Who can put the legal hold?
Who would have access to the legal hold emails?
What would be the review process?
How to remove the legal hold?
Note: End-users should not be able to see legal hold on their emails.
Writing the Policy
Creating a written email retention policy will be the key in enforcing your policy. A formal written policy will save you time and money when your organization is under audit. Your email retention policy will be helpful in defining how many emails your organization will have to provide during the discovery phase.
As with any business policy, your email retention policy should be simple and must be communicated to all users. Creating an effective email retention policy is not only governed by the business needs but also should pay attention to any technical requirements.
Ability to retain emails in a cost-effective way should be an important part of your organization policy.
Legal Hold Process:
Who would approve placing legal hold? – executive team and/or ….
Who can put the legal hold? – Human resource, legal team, and/or …
Who would have access to the legal hold emails? – Outside legal counsel, legal team, human resource, and/or …
What would be the review process? Company process is …
How to remove the legal hold? Executive team or/and … needs to approve removal of legal hold
How can the Cloudsis Email Archiving solution help you to implement your email policy?
Managing a defined email retention policy is not easy in many organisations as such below are the factors that must be considered when implementing an operational email retention policy.
Automate your Email Retention Policy
As the definition dictates, the ability to retain and dispose of the email automatically makes it an efficient email retention procedure. An email archiving system like the Cloudsis Email Archiving Solution can automatically capture all the emails that are sent and received by every user for retention. That is the first part of the automation.
The ability to dispose of these emails automatically based on your business needs is another necessity. Cloudsis Email Archiving Solution can categorise emails based on your business needs and automatically remove emails from your system. This provides you with a hands-off approach to your retention policy.
The reason to retain emails is to be able to provide to any stakeholder when necessary. Whether it is an auditor, courts during discovery phase or just another employee looking for some past information having a quick and fast retrieval of these emails will save you time and money
Cloudsis Email Archiving Solution provides thorough searching capabilities to retrieve millions of archived emails within seconds.
Having fuzzy and proximity searching capabilities based on keywords gives you more power to retrieve specific emails whether they are within the attachments of an email or just in the plain email.
Messaging Intelligence can provide you visual insight to extend the internal or external investigation as needed.
To get a buy in from the entire department especially the legal and compliance department, it is absolutely necessary to have an effortless method to suspend destruction of emails which are defined in your retention period. Therefore, ability to suspend deletion of certain but not all emails immediately upon any indication of an official investigation or when a lawsuit is filed or appear imminent is vital.
A true operational email retention policy based on an email archiving system should not require any human intervention. Once configured in an email archiving solution provided by Cloudsis it should automatically retain and dispose of emails as required by your policy.
The users should be trained to use the email archiving solution so they can access and retrieve older emails when needed. Therefore, retrieval of emails should be non-intrusive to the employees working procedure. Cloudsis Email Archiving Solution provides direct access to user’s email through their favourite email client and over the web.
If you have an email archiving solution to manage your email retention policy, then restrict your employees or users to create a local PST on their hard drives. Having emails in your PST files which are older than your retention policy could amplify your risk.
Note: Information provided above is not legal advice and is for educational and planning purposes only. Please consult with your legal counsel.