UK: Business Email Retention
The emails your organisation sends and receives are full of valuable and sensitive information – from business critical data, to contractual agreements and personal identifiable information (PII: any data that could be used to identify a particular person).
Your users may need to refer to it on a daily basis. Some correspondence might be essential for settling a legal matter.
Your emails are a record of who said what to whom. So you need to keep them safe. But for how long?
For many UK businesses, it’s up to them to decide. Companies that are publicly owned or in certain industries though must keep their emails for specified periods (see below).
Even beyond regulations, there are good reasons to keep at least some emails for a long time.
Take, for example, those related to contracts. UK law allows a claim to be made for a breach of a contract up to six years after the breach.
So it makes sense to keep those particular emails for six years.
UK government regulations do not specify how long you must keep emails. On the contrary, legislation is more concerned with your business not keeping email data too long.
The relevant laws are:
- UK General Data Protection Regulation 2018 (UK GDPR 2018)
- Data Protection Act 2018 (DPA 2018)
- Freedom of Information Act 2000 (FOIA 2000)
- Public Records Act 1958 (PRA 1958)
UK GDPR says you need to be able to justify why you’re keeping personal data. You shouldn’t hold on to it just in case you might want to refer to it in the future.
If you don’t need to know the identity of a person mentioned in an email, then their data should be anonymous.
There’s a U.S. federal law called the Sarbanes-Oxley Act (SOX) that affects public companies. It also applies to wholly owned subsidiaries and foreign companies that are publicly traded and do business in the United States.
According to SOX, these businesses must keep their emails for seven years.
Even if your company is not currently subject to SOX, you might need to comply with a UK version of SOX, which some experts say is imminent.
Certain industries have rules stipulating that documents, including emails, must be kept for a set period of time.These are described below.
According to the Data Retention (EC Directive) Regulations 2009, providers of public electronic communications networks or services must keep emails for 12 months. (Pinsent Masons)
Solicitors must keep different types of documents for various periods. See the Solicitors Regulation Authority’s schedule.
The retention period is seven years for many types of documents. However, there are quite a few you need to keep for shorter or longer times. For more information, see the Financial Conduct Authority Retention Schedule.Retention