Email retention policy: Are you staying GDPR compliant?

Written By: Ontrack

Date Published: 12 March 2020 00:00:00 EDT

Email retention policy: Are you staying GDPR compliant?

Ever since its implementation on May 25, 2018, GDPR has been at the top of the list of priorities for many organisation’s. However, with so many elements to consider, it can be quite easy for organisations to overlook certain areas. One commonly overlooked area is email; how should a company store and destroy emails to ensure compliance with the GDPR? Should companies have made changes to their email retention policies due to is implementation?

Aside from the regulatory obligations as set out in the GDPR, there are actually other reasons for companies to consider updating their email retention policy, such as addressing the cost of storage and overall system performance.

In this article, we’ll discuss why you should update your email retention policy (if you haven’t already), plus we’ll show you a few areas that you should consider when it’s time to revise your current processes.

How did the implementation of GDPR affect email retention?

In the most part, the implementation of GDPR brought no real surprises when it came to the processing and retention of all types of data, not just email. GDPR is very similar to most national laws; most notably that information should only be stored for as long as is necessary and that steps should be taken to securely destroy data once it reaches the end of its life.

Take the UK’s Data Protection Act, for example, which complements the GDPR. It stipulates in Principle five that “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”

It doesn’t say exactly how long to keep data for, but it does highlight some best practices that companies should adhere to when creating a data retention policy, which should be applied directly to email. These include assessing how long personal data is kept for, why it is used, and how it should be disposed of.

The guidelines of the GDPR are much the same. However, the fines for non-compliance are much greater than they ever were at a national level. The financial penalties for non-compliance of the GDPR serve as an even stronger deterrent to companies with outdated policies and practices.

Archiving emails and maintaining access

One of the key parts of any email retention process is how the data is archived once it reaches a certain age. Many companies are turning to cloud storage options such as Office 365. However, tape storage is still a prolific player in the world of archive data.

With different options available, and with companies often using a mix of storage solutions, finding and accessing archived email can end up being an immense task for an Exchange administrator.

This becomes especially challenging if the emails are backed up onto older tape media.

One of the problems associated with tape media is directly linked to its main strengths: its longevity. While perfect for storing archive data long-term, it also presents a challenge when it comes to  maintaining accessibility over large periods of time.

When reviewing an email retention policy, companies should consider what tape types they store data on and what backup software is used. It’s a common occurrence for organisations to reach a situation where software becomes end-of-life, tape drives fail, or the tapes themselves become damaged, and they then have no way of accessing the data on their own.

As part of your review of your data storage used for email retention, it’s best to ensure that you’re  future-proofing your solutions accordingly.

Companies should also be aware of exactly what data is on every tape they own, which can be a challenge if their tape estate is split across multiple tape types, backup software packages and if no catalogues exist. If you’re not sure what data you have, or exactly where it resides, then it is worth investing the time to address this, so you’re not presented with an insurmountable roadblock if you ever need to locate, restore, or delete archived information in the future.

You might also find that once you know what data is on your tapes, you can actually go ahead and securely delete obsolete data and enjoy vast cost and storage space savings as a result. After all, enterprise data storage solutions aren’t cheap!

Permanently deleting emails

We recently posted a blog about why data erasure matters for GDPR, and we’d highly recommend giving it a read if you’re not already aware; there’s plenty of reasons as to why it’s important.

One of the main reasons to securely delete email data is to prevent data breaches. Companies can amass enormous quantities of email data in a very short time, especially in larger organisations, and that can sometimes be a prime target for hackers. More data equals more risk; therefore, using a secure erasure method will help to mitigate the risk of archived and outdated information getting leaked. It will also do wonders for your data storage devices; freeing up valuable storage space that you can assign elsewhere.

What’s more, with the GDPR, companies need to comply with ‘Right to be Forgotten’ requests to remove personal data, as outlined in Article 17 of the regulation. This requires companies to erase data securely once it reaches the end of its usable life, or when a data subject requests for it to be removed.

Creating a new email retention policy

When creating a new email retention policy, you should take the time to think about all of the points covered in this article, but try not to lose sight of what matters most to your business. Anyone can come up with an email retention policy, however, the real value to your business will come from creating something that meets your requirements and overcomes your challenges.

As an example, here’s a summary from the points in the post:

  • Limit emails in active inboxes to a certain, shorter period. Adopt a new limit to mailbox sizes.
  • Archive off emails older than that period. However, make sure they are still easy to search and access. Define an upper time limit for when that archived data is considered obsolete.
  • Securely erase any emails that go past this upper time limit, using a  certified, auditable tool so you can prove the process has happened.
  • Keep users aware of the policies and make sure they understand it fully.
  • Continually review your policies and test your access to archived data.

Your company should be reviewing its email retention policy frequently to ensure it is up to date, not just in terms of regulation but also in terms of technology, ease of access, and any change in business requirements to process that data.

According to the GDPR, there is no exact wording for how long companies should retain emails for, therefore; it falls to organisations to follow their own individual policies and shows that a methodology was implemented accordingly.

Addressing key areas of email retention, will not only ensure you remain GDPR compliant, but it will also ensure that you are continuing to do the right thing when it comes to email and personal data retention.


KLDiscovery Ontrack Limited, Nexus, 25 Farringdon Street, London, EC4A 4AB, United Kingdom (see all locations)