Ontrack | GDPR | Email Retention | Ontrack Blog

Remain Compliant: How will GDPR Affect Email Retention?

With the 25^th  of May closing in fast, companies still have a lot to think about in terms of how to remain compliant with the forthcoming GDPR legislation.

There are so many elements to consider, however one commonly overlooked area is email; how should companies store and get rid of it when the GDPR comes into effect? Will companies need to make any changes to existing email retention policies?

In fact, aside from the regulatory obligations as set out in the GDPR, there are actually many other reasons for companies to consider updating their email retention policy, such as addressing the cost of storage and overall system performance.

In this article, we’ll show you why you should be thinking about updating your email retention policy, plus we’ll show you a few areas that you should definitely be considering when revising your current processes.

How will GDPR affect email retention?

For the most part, when the GDPR is introduced there will be no surprise changes when it comes to processing and retaining all types of data, not just email. In fact, it’s likely that most national laws will be very similar to what is required under GDPR; most notably that information should only be stored for as long as is necessary and that steps have been taken to securely destroy data once it reaches the end of its life.

Take the UK’s current Data Protection Act, for example. It stipulates in Principle 5 that “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”

It doesn’t say exactly how long to keep data for, but it does highlight some best practices that companies should adhere to when creating a data retention policy, which should be applied directly to email. These include assessing how long personal data is kept for, why it is used, and how it should be disposed of.

With the GDPR, we can expect the guidelines to be much the same, however, the fines for non-compliance will be much greater than they currently are on a national level. While many countries have not reprimanded organizations with the highest level of fines available thus far under existing legislation, the new financial penalties should serve as an even stronger deterrent to companies with outdated policies and practices.

Archiving emails and maintaining access

One of the key parts of any email retention process is how the data is archived once it reaches a certain age. Many companies are turning to cloud storage options such as Office 365, however tape storage is still a prolific player in the world of archive data.

With different options available, and with companies often using a mix of storage solutions, finding and accessing archived email can end up being an immense task for an Exchange administrator.

This becomes especially challenging if the emails are backed up onto older tape media.

One of the problems associated with tape media is directly linked to its main strengths: its longevity. While perfect for storing archive data long-term, it also presents a challenge when it comes to maintaining accessibility over large periods of time.

When reviewing an email retention policy, companies should consider what tape types they store data on and what backup software is used. It’s a common occurrence for organizations to reach a situation where software becomes end-of-life, tape drives fail or the tapes themselves become damaged, and they then have no way of accessing the data on their own.

As part of your review of your data storage used for email retention, it’s best to ensure that you’re future-proofing your solutions accordingly.

Companies should also be aware of exactly what data is on every tape they own, which can be a challenge if their tape estate is split across multiple tape types, backup software packages and if no catalogs exist. If you’re not sure what data you have, or exactly where it resides, then it is worth investing the time to address this so you’re not presented with an insurmountable roadblock if you ever need to locate, restore, or delete archived information in the future.

You might also find that once you know what data is on your tapes, you can actually go ahead and securely delete obsolete data and enjoy vast cost and storage space savings as a result. After all, enterprise data storage solutions aren’t cheap!

Permanently deleting emails

We recently posted a blog about why data erasure matters for GDPR, and we’d highly recommend giving it a read if you’re not already aware; there’s plenty of reasons as to why it’s important.

One of the main reasons to securely delete email data is to prevent against data breaches. Companies can amass enormous quantities of email data in a very short time, especially in larger organizations, and that can sometimes be a prime target for hackers. More data equals more risk, therefore, using a secure erasure method will help to mitigate the risk of archived and outdated information getting leaked. It will also do wonders for your data storage devices; freeing up valuable storage space that you can assign elsewhere.

What’s more, with the GDPR, companies will actually need to comply with ‘Right to be Forgotten’ requests to remove personal data, as outlined in Article 17 of the regulation. This will require companies to erase data securely once it reaches the end of its usable life, or when a data subject requests for it to be removed. If your organization doesn’t have a certified method in place, then it’s time to start thinking about your options here and implementing it as part of your new retention policy.

Creating a new email retention policy

When creating a new email retention policy you should take the time to think about all of the points previously covered in this article, but try not to lose sight of what matters most to your business. Anyone can come up with an email retention policy, however; the real value to your business will come from creating something that meets your requirements and overcomes your challenges.

As an example, here’s a short summary just from the points in the post:

• Limit emails in active inboxes to a certain, shorter time frame. Adopt a new limit to mailbox sizes.
• Archive off emails older than that period. However, make sure they are still easy to search and access. Define an upper time limit for when that archived data is considered obsolete.
• Securely erase any emails that go past this upper time limit, using a certified, auditable tool so you can prove the process has happened.
• Keep users aware of the policies and make sure they understand it fully.
• Continually review your policies and test your access to archived data.

Another point to remember here is that is shouldn’t really take something like the GDPR to be the prerequisite for a new email retention policy – it should be something your company is reviewing frequently to ensure it is up to date not just in terms of regulation, but also in terms of technology, ease of access, and any change in business requirements to process that data.

As far as the GDPR itself is concerned, there is no exact wording for how long companies should retain emails for, therefore; it falls to organizations to create their own individual policies and show that a methodology was implemented accordingly.

Addressing key areas of email retention, including the ones in this post, will serve as a great start for organizations to show to regulatory bodies (and potentially, customers) that they are continuing to do the right thing when it comes to email and personal data retention.