In the age of GDPR, email retention is an increasingly key aspect of an organisation’s data collection policy. While companies are drawing up their own email retention policies, there are still businesses unsure of how long they need to keep emails. With various regulations offering advice on data retention, it can get very confusing.
How long should you keep your emails? There is no single answer to the question of how long emails should be kept, but the following advice should help you to work out exactly how long is right for your business.
What is the Correct Email Retention Period?
The type of information your business deals with day-to-day will be the deciding factor. For example, your company is obliged to keep all information relevant for VAT purposes for as long as 6 years. That means that any emails dealing with VAT must be kept for that period as a minimum. Of course, financial records aren’t the only pieces of information subject to these kinds of laws. Even emails that contain information about everyday workplace matters, such as sickness records or maternity pay, are required to be kept for 3 years.
Many businesses will find that, because of these legal provisions, it is safest to keep emails for around 7 years. This gives your company a year on top of the common 6 year minimum retention period, just in case.
However, in some cases 7 years is still not long enough. For example, emails relating to a shareholder’s meetings and the decisions, resolutions and members, require a 10 year retention period, due to the Companies Act of 2006.
Who are the Regulatory Bodies?
There are various regulatory bodies in relation to data protection with their own guidelines on email retention periods.
1. Employment Tribunals
It’s up to employers to assess the different retention periods for the various types of employment data. The Data Protection Act is vague on the matter, stating that “personal data should be kept for no longer than necessary”. It’s recommended that job applications and CVs be kept for as short a time as possible. A business can keep a CV for future reference but must inform the individual of this. Any personnel records of former employees must be kept for a maximum of six years. This is because employment tribunals are possible for up to six years after the employment is terminated. To avoid legal risk, it is acceptable for businesses to keep emails and other information on the employee for that period.
2. Court Action in Civil Procedure Rules
If a business cannot produce evidence in emails for auditing or litigation purposes, then it is at risk of reprimand. A claim of a breach of contract is also possible for up to six years after the end of an employment contract, so a company response needs to be swift. Additionally, a change to the Civil Procedure Rules (Practice 31B Disclosure of Electronic Document) mandates that businesses must be prepared for electronic discovery of information.
3. Data Protection Act 1998
The DPA requires businesses to take the technical steps required to protect personal data (that will be in emails) from misuse and theft. A DPA request could happen at any time and expects to see a copy of data requested within 40 days.
4. Freedom of Information
If you are a public authority, public access to emails could be required. Including government documents, local councils and authorities, education establishments and the NHS.
5. Financial Services Act
The financial sector is heavily regulated, requiring organisations to keep business emails that have been sent and received for up to six years. There is some data that must be kept indefinitely for cases to be reviewed.
6. The Sarbanes-Oxley Act
This is a US act relating to financial reporting but affects businesses with subsidiaries in the US. The aim of the Sarbanes-Oxley Act was enacted to protect shareholders and the public from errors related to accounting and any fraudulent practices within the organisation. All critical business emails must be retained under the act.
Email Retention and GDPR
The legislation doesn’t simply deal with periods of time, it also has other important aspects. If your organisation collects personal information, then you are expected to keep it secure and accessible. For example, new EU GDPR regulations state that “Information that does not need to be accessed regularly, but that which still needs to be retained, should be safely archived or put offline.”
Cryoserver have over 18 years of experience in email compliance and not only understand a range of GDPR issues, but have a tool setup to help you address them and make sure your organisation is keeping the emails it should. We can help you to manage your information securely and demonstrate ‘privacy by design’ to fit perfectly with your company’s needs.
Email Retention Best Practices
With various regulations to consider, it is best to treat emails differently depending on the data they have. When deciding on an email retention policy, you must:
- Consider your legal obligations
- Consider the needs of your business
- Establish standard retention periods for all types of information
- Make sure all information is stored securely and deleted when no longer needed
A way to successfully store vital information in emails is by archiving them. Email archiving is the process of securely saving emails and protecting the data found in the communications while enabling fast retrieval when required. The messages are placed in a secure storage location with the information kept in a read only state. Archiving emails complies with regulations and policies such as GDPR.
Challenges with High Volume Email Archiving
While email archiving is beneficial for a business, it can be difficult to archive a high volume of communications for various reasons.
Clogging Up of Folders
When you begin to save emails for longer periods of time, folders can become clogged, mail servers can become slow and in the event that you actually need to track back a few years for a relevant email, it can be almost impossible. These problems will only become more serious as the quantity of emails continue to grow.
Unreliable PST Files
A common technique that we found users attempting was the creation of PST files. Apart from being unreliable, PST files cause a whole range of problems for staff. PST files will typically be saved on hard drives within an employee’s laptop, which means sensitive information is stored locally. This is likely to leave your control, causing a potential data leak that could cost your organisation either in reputation or finances.
Threats from Cyber Attacks
Access to emails and the sensitive information that builds up in your email archive poses a few problems. Not only will your business have to protect against attacks from outside the company, but it will also have to ensure that the people within the company who have access to the store are properly authorised to do so.
Cryoserver’s email archiving software can prevent the challenges faced when archiving bulk emails. The lightning fast, intuitive search system allows for easy navigation of your backed up emails, regardless of how many you might have. Employees in all departments find it easy to use the search system with no training at all and can put together extremely specific searches with a great deal of ease. As for crammed mail servers and slow backup processes, Cryoserver can tackle them with ease thanks to its impressive compression and excellent encryption levels.
Get in touch with Cryoserver today to try our email archiving solution for free.