From Inbox to Archive: Unveiling the Secrets of an Effective Email Retention Policy

Introduction?

Data retention forms an inherent part of privacy regulations and other compliances across the globe. While most of the time we focus on making policies around data backup and cloud resources, a policy on data stored or kept in the email is often overlooked. Indeed, email has become a critical tool for communication and information exchange in both personal and professional spheres. However, with the increasing focus on privacy and data protection, organisations face the challenge of complying with various privacy laws while managing their email retention policies. This article highlights about various facets associated with email retention policies and how critical they can be to an organisation.?

?Why do we need an email retention policy??

Privacy laws often define specific retention periods for personal data. There is also the statutory business requirement to hold data for a specified period. An email retention policy enables companies to retain data for the required duration, ensuring compliance with these regulations. This facilitates proper handling of data subjects' requests and protects against potential claims of non-compliance.?

How does it help??

• Effective Data Subject Rights Management: Privacy laws grant data subjects numerous rights, such as the right to access, rectify, and erase their personal data. A precise email retention policy benefits organisations in managing data subject requests efficiently, enabling them to locate and respond to such requests within the prescribed timeframes.?
• Limiting Data Breach Risks: Keeping data for a long period of time and retaining data for a long period of time increases the risk of unauthorized access or data breaches. An email retention policy allows organisations to regularly purge outdated or unnecessary emails, reducing the potential impact of a data breach and improving overall data security.?
• International Data Transfers: Various privacy laws enforce restrictions on transferring personal data outside the originating country or region. An email retention policy facilitates organizations to identify and properly handle cross-border email transfers, ensuring compliance with relevant regulations such as General Data Protection Regulation (GDPR).?
• Marketing and Consent Compliance: One of the mandates of most Privacy laws is that they require organizations to obtain explicit consent from individuals for sending marketing emails. An email retention policy ensures that consent is properly obtained, recorded, and managed, while also providing mechanisms for individuals to easily opt-out from receiving such communications.?
• E-Discovery and Legal Compliance: Emails can act a critical role in legal proceedings. An email retention policy helps organizations retain relevant emails, enabling them to comply with e-discovery requirements during litigation. This streamlines the process of identifying, preserving, and producing email evidence, minimizing legal risks and costs.?

The regulations around the email retention policy?

There are no specific regulations with respect to email retention. But some of the laws have certain sections which cover the email retention policy.?

• General Data Protection Regulation (GDPR): GDPR is one of the most powerful acts protecting the data privacy of EU citizens. It acts as a guiding light for data protection laws across the world, GDPR does not have specific sections dedicated solely to emails. However, several provisions of the GDPR are relevant to the processing and retention of personal data contained in emails. Here are some key sections and principles of the GDPR that might be applicable to emails:?
• Article 5: Principles relating to personal data processing: This article outlines the key principles for processing personal data, including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality. These principles apply to personal data contained in emails as well.?
• Article 6: Lawfulness of processing: This article specifies the lawful bases for processing personal data. Organizations must ensure that the processing of personal data in emails is based on one of the lawful bases, such as the necessity of processing for the performance of a contract, compliance with a legal obligation, or legitimate interests.?
• Article 9: Special categories of personal data: This article applies when emails contain sensitive personal data, such as health information or religious beliefs. Processing such data is subject to additional restrictions and conditions, including explicit consent or other legal grounds for processing.?
• Article 12: Transparent information, communication, and modalities for the exercise of data subject rights: This article emphasizes the importance of providing clear and transparent information to data subjects, including information about the processing of personal data in emails. It also outlines data subjects' rights, such as the right to access, rectify, and erase their personal data.?
• Article 17: Right to erasure (right to be forgotten): This article grants individuals the right to request the erasure of their personal data in certain circumstances. Organizations must be able to identify and delete personal data contained in emails upon a valid request unless there are legal grounds for retaining it.?
• Article 25: Data protection by design and by default: This article requires organizations to implement appropriate technical and organizational measures to ensure data protection. It includes principles such as data minimization, pseudonymization, and encryption, which are relevant when handling personal data in emails.?

While there is no specific section exclusively dedicated to emails, these provisions of the GDPR provide the framework and principles that organizations should consider when processing and retaining personal data contained in emails. However, the regulation does not specify a specific retention period for email data.?

• Sarbanes-Oxley Act (SOX): SOX applies to publicly traded companies in the United States. It mandates the retention of certain business records, including emails, for a minimum of five years. The Act requires that records be accurate and unalterable, and organizations must have processes in place to ensure the integrity and security of their email records.?
• Health Insurance Portability and Accountability Act (HIPAA): HIPAA regulates the handling of protected health information (PHI) in the healthcare industry. While it doesn't provide specific email retention requirements, covered entities must retain email communications containing PHI for at least six years from the date of creation or the date when it was last in effect.?
• Financial Industry Regulatory Authority (FINRA): FINRA regulates broker-dealers and requires them to retain email communications for a minimum of three years. However, the Securities and Exchange Commission (SEC) Rule 17a-4 requires broker-dealers to retain and preserve records, including emails, for a period of six years.?

Some of the examples where an email retention policy acted as crucial.?

• Enron Scandal: In one of the most infamous corporate scandals, Enron's email retention practices played a significant role. The company's email retention policy was inadequate, resulting in the destruction of critical emails relevant to investigations into fraudulent activities. This hindered the legal proceedings and highlighted the importance of robust retention policies in ensuring transparency and accountability.?
• Volkswagen (VW) Emissions Scandal: The VW "Dieselgate" scandal involved the manipulation of emissions tests. In this case, a deficient email retention policy resulted in the deletion of crucial emails that could have provided evidence of the company's wrongdoing, hampered investigations, and prolonged the importance of an email retention policy can be seen in the case of Volkswagen (VW) and the "Dieselgate" scandal. In 2015, it was revealed that VW had installed software in their diesel vehicles to manipulate emissions tests. During the investigation and subsequent litigation, email evidence played a crucial role in uncovering the extent of the deception and holding responsible parties accountable. However, it was discovered that VW had an inadequate email retention policy in place, resulting in the deletion of critical emails and hindering the investigation process.?
• Sony Pictures Entertainment Cyber Attack: Sony Pictures Entertainment experienced a massive cyber-attack in 2014, resulting in the theft and release of sensitive corporate information and employee emails. The incident highlighted the need for a robust email retention policy that could have helped in identifying the extent of the breach, responding effectively, and preserving evidence for investigation.?
• Wells Fargo Unauthorized Accounts Scandal: Wells Fargo's failure to retain relevant emails related to their unauthorized accounts scandal impeded investigations and delayed the resolution of the case. The absence of a robust email retention policy hindered the ability to establish accountability, resulting in significant financial penalties and reputational damage for the bank.?

These real-world cases emphasize the critical role of email retention policies in various industries, ranging from corporate scandals and government controversies to regulatory compliance and data protection. Implementing and enforcing robust retention policies can enhance transparency, facilitate investigations, and mitigate legal and reputational risks.?

?How can data in the email be protected??

To protect data in emails as per regulations, a company can implement the following measures:?

• Encryption: Use email encryption technologies to secure the content of emails. This ensures that only authorized recipients can access and decrypt the information, mitigating the risk of unauthorized interception or access.?
• Access Controls: Implement robust access controls to limit who can access sensitive data in emails. This includes strong user authentication mechanisms, role-based access controls, and permission settings to restrict access to authorized individuals.?
• Secure Email Gateway: Deploy a secure email gateway solution that can detect and block malicious emails, spam, and phishing attempts. This helps prevent unauthorized access, data breaches, and other email-related security risks.?
• Data Loss Prevention (DLP): Implement a DLP solution to monitor outgoing emails and prevent the accidental or intentional leakage of sensitive data. DLP can detect and block emails containing specific types of sensitive information, such as credit card numbers or personal identification numbers (PINs).?
• Employee Training and Awareness: Conduct regular training sessions to educate employees about email security best practices, such as identifying phishing attempts, using strong passwords, and being cautious about sharing sensitive information via email. Promote a culture of security awareness and vigilance among employees.?
• Retention and Disposal Policies: Establish and enforce an email retention policy that aligns with applicable regulations. Clearly define retention periods for different types of emails, ensuring data is not retained longer than necessary. Implement secure procedures for the disposal of emails at the end of their retention period.?
• Incident Response and Breach Notification: Develop an incident response plan that includes procedures for promptly detecting, responding to, and containing email-related security incidents or breaches. Establish a process for notifying affected individuals and regulatory authorities in accordance with data breach notification requirements.?
• Regular Auditing and Compliance Assessments: Conduct periodic audits and assessments to ensure compliance with relevant regulations, including verifying that email security controls are effective and up to date. Regularly review and update email security measures to address emerging threats and vulnerabilities.?

By implementing these measures, a company can enhance the protection of data in emails, reduce the risk of unauthorized access or data breaches, and demonstrate compliance with regulations governing email data security.?

Conclusion

In an era of heightened privacy concerns, having a well-crafted email retention policy is crucial for organizations worldwide. It facilitates compliance with diverse privacy laws, enables efficient data subject rights management, minimizes data breach risks, ensures compliant international data transfers, aids marketing consent compliance, and supports legal compliance during e-discovery. By proactively addressing these considerations, organizations can safeguard personal information, maintain trust with stakeholders, and navigate the complexities of global privacy regulations successfully.?