News & Blog

The Importance of Email Retention Policy

It’s no easy thing to govern and manage all your email business content. Not only is the amount of email data that businesses manage increasing rapidly, but the complexity of data regulations such as GDPR are also growing exponentially too. And for the icing on the cake, failing to comply with ever-evolving retention policies can lead to costly fines and lawsuits.

It’s no easy thing to govern and manage all your email business content. Not only is the amount of email data that businesses manage increasing rapidly, but the complexity of data regulations such as GDPR are also growing exponentially too. And for the icing on the cake, failing to comply with ever-evolving retention policies can lead to costly fines and lawsuits.  

Today’s organizations rely on data to fuel their business processes. Email is the most common form of company communication and having reliable access to email determines business continuity Whether it’s the federal government, healthcare, financial services, manufacturing, hospitality, retail, telecommunications, or education industries, there are sensitive resources that malevolent hackers can and will easily steal. 

ICO fines Tuckers Solicitors LLP £98,000 for data breach 

Just recently The Information Commissioner’s Office (‘ICO’) imposed a fine of £98,000 on Tuckers Solicitors LLP, for violations of Articles 5(1)(f), 32(1)(a), and 32(1)(b) of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), following a ransomware attack on its systems.  

One of the key failings on Tuckers side was focused on data retention. Tuckers Solicitors LLP was noted to be storing court bundles after its 7-year retention period, some of which were exfiltrated through this attack. A failure to adhere to or to justify departures from its retention practices creates concerns about compliance with Article S(l)(e) GDPR, which requires personal data to be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”. For more information on the penalty served- https://ico.org.uk/media/action-weve-taken/mpns/4019746/tuckers-mpn-20220228.pdf  

With the growing amount of data collected by companies today, it’s no wonder why creating and enforcing a robust data retention policy is essential. However, because of the rapidly changing threat landscape and new data privacy laws and regulations, it can be tricky for organizations to know what email data they need to retain and for how long. Implementing manually is simply a non-runner.   

Automated data retention could have been a saving grace for Tuckers- During a statement Tuckers detailed to the commissioner during the investigation that; “The data that was accessed was in locations that were not being proactively managed well enough with regards ensuring that data that was still being stored outside of our retention periods was then being deleted”.  

Data Retention FAQ’s 

What Is Data Retention?  

Data Retention, also known as records retention, is the storage of organization’s data for compliance or business reasons. The retention periods vary established on the type of information that is being processed, where the data is located, the purpose of processing that data amongst other factors. 

Why Is Email Data Retention Important?  

Retention policies help to manage many risks including lost or stolen information. Email retention ensures all the regulatory compliance is followed and reduces the cost of non-compliance and risk of sanctions; it improves the performance of IT without increasing the costs involved. excessive backlog and it reduces the loss of time and space while internally managing records and lack of organization system for records.  

How Can It Reduce Liabilities?  

Data retention policies will enable companies to keep what is needed and shed what is no longer – thereby reducing risks in the event of a security breach.  

What Are Retention Policies and What Purpose Do They Serve? 

Records retention policies are used to provide employees with the information and procedures needed to preserve records for specific periods of time. The policy provides rules that are used to identify which documents need to be kept and for how long. 

Email Retention Regulations  

Suggested retention periods may vary considerably based on the industry you belong to and the physical location of your company as mentioned above-  

UK/Ireland   

In the UK, there are no general cross-sector regulations for how long emails should be retained, unless you’re in an industry that is impacted by some specific legislation or heavily regulated by an industry body. 

  • General Data Protection Regulation (GDPR) 
  • The Freedom of Information Act 2000 (FOIA 2000) 
  • Public Records Act 1958 (PRA 1958) 
  • Data Protection Act 2018 (DPA 2018) 

These regulations won’t go as far as to tell organizations how long they should keep email for, but they do provide the guidelines around which they can come up with their own approach. 

US  

Regulation that applies to organizations in the US gets more detailed than in the UK and Europe – There are many US regulatory bodies that have specific recommended retention periods.  

Has Office 365 Got You Covered?  

Many using Microsoft 365 will be under the impression they have all of this covered by the fact they’re using a cloud service. That’s not right of course, this data isn’t backed up in a way that’s accessible to users and is therefore unsuitable for implementing an ERP. To provide eDiscovery, retention, compliance, and visibility O365 requires E3 with add-ons or E5 licenses for every user including Shared, Inactive, Ex-Users and Legacy users. MailMeter works with EVERY license, so you only pay for the license you need. Learn more about Office 365 email archiving with Waterford Technologies

How Do You Enforce Data Retention? 

The information an organization chooses not to retain is as important as the information they choose to retain. 3rd party solutions such as MailMeter allows organizations to implement retention policies to meet regulations, by users, departments, keywords, phrases, attachments to meet the various complex retention regulations in your sector and not just by a generic date. Keep what you need, which is key article under GDPR and best practice data protection. 

GDPR and Email Data Retention  

GDPR does not specify retention periods for personal data. Instead, it states that personal data may only be kept in a form that permits identification of the individual for no longer than is necessary for the purposes for which it was processed.  

Summary  

The increased value of data has meant that governments are establishing their own data protection laws such as GDPR, FOIA, CCPA & Mifid which can come at a great cost for organizations if found to be in breach of these laws. Without a proper compliance strategy and archiving software, organizations tend to hold onto email and file data way beyond the periods mandated by retention requirements. 

As we have seen in the Tuckers case above, retaining un-required data can create additional liability for your business as well a server pressure, risk of silent data corruption, and can also impede overall business productivity. 

There’s no time like the present to simplify your data governance program. Manual processing is far too time-consuming. Legacy systems are expensive and difficult to use. It doesn’t have to be this hard. Implementing an adequate retention policy is key to ensuring regulatory compliance. 

MailMeter helps automate data retention policy  

MailMeter Retention Manager is a powerful tool for granular destruction of messages from the MailMeter Archive. The user interface allows a designated administrator to set destruction time periods, organize users into groups, assign the groups to destruction categories, and set the frequency of destruction – message purge. 

MailMeter Retention Management Module – Demonstration 

Retention can be controlled by time and /or by person groups. Person groups can be created that contain current and former users and then retention categories can be applied to those groups. For example, your organization wants to set a retention policy of 5 years for all message but users in the Executive or Financial organizations need to be kept for 7 years. MailMeter set it and forget it Retention Policies make sure that messages are kept according to your record retention policies.