Email Retention Policy Best Practices for 2023 and Beyond
Despite the increasing prominence of other communication methods, email still plays a central role in modern business. It’s used to share information, discuss decisions, send business documents and communicate changes. This brings us to the issue of email retention — emails are important documents which need to be retained just like any other business record.
Organizations use email archiving solutions to ensure that their emails are retained in accordance with relevant legal and regulatory requirements. But there are other measures that need to be taken to keep email records compliant. A key one among them is an email retention policy.
What is an email retention policy?
An email retention policy is a company policy that defines how long email messages should be retained before they are permanently deleted. These policies largely depend on specific government regulations and vary across industries. This is why the key step is to get informed about which laws and regulations apply to your industry and then create policies that reflect them.
Having an email retention policy is important for a number of reasons — the major two being the need to save space on your email server and the need to stay in line with federal and industry record-keeping regulations.
Defining how long your company will keep email communication can prove more challenging than you initially thought. The first stumbling block is that different departments will advocate for different retention windows.
How long should your retention policy really be?
There are both positive and negative aspects of having a longer retention policy, the main pros being business continuity and the fact that executives rely on old email chains to recollect past decisions. The cons are reflected in the fact that the longer the policy, the bigger the risk that some sensitive information will be exposed through unauthorized access or a security breach.
When it comes to short retention policies, they might violate various regulations that require that organizations in certain industries retain email and other electronic information for a number of years. Their major advantage, however, is that they are cheaper to implement and that they reduce the chance of being caught up in a legal investigation that focuses on information captured in emails. That’s why your legal department will generally support shorter retention periods that reflect the regulatory minimum.
Email retention policy best practices
1. Analyze relevant regulations
The process of designing an email retention policy should begin by listing all relevant regulations and the retention requirements outlined in each law that applies to your organization.
These recommended retention periods may vary significantly based on the industry you belong to and the geolocation of your business. Here’s a list of major US laws and prescribed retention periods:
If the retention period is not outlined for your industry or a particular type of data, it’s recommended to stick to the minimum IRS recommendation of 7 years.
It’s important to begin with these regulatory minimums and include both your IT and legal department into the creation of the policy. Legal will not only be able to provide counsel based on the above regulations, but also come up with ideas on how to segment your data for retention.
2. Create the email retention policy
As we saw in the introduction, some C-level executives will expect to have access to their historical email for longer time periods, so you might need to specify multiple policies based on different criteria like email type, the sender, the recipient, the topic or the department.
For instance, your policy can be designed in such a way that spam messages are never retained, your general correspondence is retained for 5 years, administrative and HR for 7 years, and then CEO correspondence, invoices and sales records are kept for 10 years or forever.
Do not leave it up to your employees to manage their own email and assume that the important records will still be there when the time comes to produce them. Take the time to create a detailed email retention policy, and make sure to review it periodically.
It’s important to note that unstructured data like social media, content from chat apps, text messages and calls are also regulated nowadays. Read more about these evolving regulations:
10 Quick Facts About Text Messaging and FOIA
Importance of Text Message Archiving in 2021
How to Avoid the Risks of Social Media for Business
Importance of Text Message Archiving in 2021
Email and Social Media in Employee Investigation & Ediscovery
Social Media Archiving in Regulated Industries: Why It Matters in 2021
Finally, your policy needs to contain strict guidelines regarding document deletion. It’s best to automate this process, which leads us to our number three best practice.
3. Get an email archiving solution
After specifying your email retention policy, you need to start tracking and retaining the outbound, inbound and internal email communication to ensure compliance.
But how do you control who removes emails after a policy expires? How do you track which policy applies to which group of messages? How do you know whose messages to preserve and for how long? What if you want to create your own policies? It would be a nightmare to do this manually.
The prime benefit of email archiving in terms of retention policies is that emails can be removed after a specified period without manual intervention. Automating this process is key as it fully eliminates the possibility of human error, prevents tampering with email contents and removes liability.
Without a comprehensive, company-wide approach to email management, you won’t know if the policies are being adhered to, especially if you leave their implementation to the judgment of department managers or end users. The majority of breaches and leaks of sensitive information happen because of the human factor — all it takes is one rogue or careless employee.
To prevent that, automating the process is the answer. One of the main benefits of data archiving technology is precisely their ability to help you ensure email compliance.
Unsurprisingly, the central email retention problem is the potential for important emails to be deleted. While your policy needs to contain strict guidelines regarding the deletion of business email, your email archiving system is there to help you implement them.
Email archiving solutions allow you to define email retention policies based on various criteria (type of data, regulations, department preferences), retain the email for as long as necessary and then purge the information only after the retention period expires in order for the data not to become an unnecessary liability. For instance, if a policy is set to last for 7 years, the delete functionality will make sure that all emails are automatically deleted immediately after the retention period expires.
Your email archiving software will automatically retain emails which are matched to a certain policy and keep them for as long as you specified in the parameters. The only thing you need to do periodically after setting up a new policy or rule is to update it in order for it to reflect the new laws, regulations and best practices.
4. Use it to proactively monitor communications
Despite the increasing prominence of other communication methods, email still plays a central role in modern business. It’s used to share information, discuss decisions, send business documents and communicate changes. This brings us to the issue of email retention — emails are important documents which need to be retained just like any other business record.
Organizations use email archiving solutions to ensure that their emails are retained in accordance with relevant legal and regulatory requirements. But there are other measures that need to be taken to keep email records compliant. A key one among them is an email retention policy.
What is an email retention policy?
An email retention policy is a company policy that defines how long email messages should be retained before they are permanently deleted. These policies largely depend on specific government regulations and vary across industries. This is why the key step is to get informed about which laws and regulations apply to your industry and then create policies that reflect them.
Having an email retention policy is important for a number of reasons — the major two being the need to save space on your email server and the need to stay in line with federal and industry record-keeping regulations.
Defining how long your company will keep email communication can prove more challenging than you initially thought. The first stumbling block is that different departments will advocate for different retention windows.
How long should your retention policy really be?
There are both positive and negative aspects of having a longer retention policy, the main pros being business continuity and the fact that executives rely on old email chains to recollect past decisions. The cons are reflected in the fact that the longer the policy, the bigger the risk that some sensitive information will be exposed through unauthorized access or a security breach.
When it comes to short retention policies, they might violate various regulations that require that organizations in certain industries retain email and other electronic information for a number of years. Their major advantage, however, is that they are cheaper to implement and that they reduce the chance of being caught up in a legal investigation that focuses on information captured in emails. That’s why your legal department will generally support shorter retention periods that reflect the regulatory minimum.
The first stumbling block in defining your email retention policy is that different departments might advocate for different retention windows.CLICK TO TWEET
Email retention policy best practices
1. Analyze relevant regulations
The process of designing an email retention policy should begin by listing all relevant regulations and the retention requirements outlined in each law that applies to your organization. These recommended retention periods may vary significantly based on the industry you belong to and the geolocation of your business. Here’s a list of major US laws and prescribed retention periods:
IndustryRegulation/Regulatory BodyRetention PeriodAllInternal Revenue Service (IRS)7 yearsAll (Government + Education)Freedom of Information Act (FOIA)3 yearsAll public companiesSarbanes-Oxley (SOX)7 yearsEducationFERPA 5 yearsFinancialGramm-Leach-Bliley Act (GLBA)7 yearsFinancial (Banking)FDIC5 yearsFinancial
(Brokers, dealers, investment bankers, securities firms)FINRA, SEC 17a-4, SEC 17a-37 years DOD contractorsDOD 5015.23 yearsCredit card companiesPCI DSS1 yearHealthcareHIPAA7 yearsPharmaceutical FDA2 yearsTelecommunicationsFCC2 years
If the retention period is not outlined for your industry or a particular type of data, it’s recommended to stick to the minimum IRS recommendation of 7 years.
It’s important to begin with these regulatory minimums and include both your IT and legal department into the creation of the policy. Legal will not only be able to provide counsel based on the above regulations, but also come up with ideas on how to segment your data for retention.
2. Create the email retention policy
As we saw in the introduction, some C-level executives will expect to have access to their historical email for longer time periods, so you might need to specify multiple policies based on different criteria like email type, the sender, the recipient, the topic or the department.
For instance, your policy can be designed in such a way that spam messages are never retained, your general correspondence is retained for 5 years, administrative and HR for 7 years, and then CEO correspondence, invoices and sales records are kept for 10 years or forever.
Do not leave it up to your employees to manage their own email and assume that the important records will still be there when the time comes to produce them. Take the time to create a detailed email retention policy, and make sure to review it periodically.
It’s important to note that unstructured data like social media, content from chat apps, text messages and calls are also regulated nowadays. Read more about these evolving regulations:
Creating a Text Messaging Policy: A Guide for Government Agencies
10 Quick Facts About Text Messaging and FOIA
How to Avoid the Risks of Social Media for Business
Importance of Text Message Archiving in 2021
Email and Social Media in Employee Investigation & Ediscovery
Social Media Archiving in Regulated Industries: Why It Matters in 2021
Finally, your policy needs to contain strict guidelines regarding document deletion. It’s best to automate this process, which leads us to our number three best practice.
3. Get an email archiving solution
After specifying your email retention policy, you need to start tracking and retaining the outbound, inbound and internal email communication to ensure compliance.
But how do you control who removes emails after a policy expires? How do you track which policy applies to which group of messages? How do you know whose messages to preserve and for how long? What if you want to create your own policies? It would be a nightmare to do this manually.
The prime benefit of email archiving in terms of retention policies is that emails can be removed after a specified period without manual intervention. Automating this process is key as it fully eliminates the possibility of human error, prevents tampering with email contents and removes liability.
Without a comprehensive, company-wide approach to email management, you won’t know if the policies are being adhered to, especially if you leave their implementation to the judgment of department managers or end users. The majority of breaches and leaks of sensitive information happen because of the human factor — all it takes is one rogue or careless employee.
To prevent that, automating the process is the answer. One of the main benefits of data archiving technology is precisely their ability to help you ensure email compliance.
Unsurprisingly, the central email retention problem is the potential for important emails to be deleted. While your policy needs to contain strict guidelines regarding the deletion of business email, your email archiving system is there to help you implement them.
Email archiving solutions allow you to define email retention policies based on various criteria (type of data, regulations, department preferences), retain the email for as long as necessary and then purge the information only after the retention period expires in order for the data not to become an unnecessary liability. For instance, if a policy is set to last for 7 years, the delete functionality will make sure that all emails are automatically deleted immediately after the retention period expires.
Your email archiving software will automatically retain emails which are matched to a certain policy and keep them for as long as you specified in the parameters. The only thing you need to do periodically after setting up a new policy or rule is to update it in order for it to reflect the new laws, regulations and best practices.
4. Use it to proactively monitor communications
Your email archiving software can also help your compliance and HR teams to track employee misbehavior or prevent the sharing of sensitive business information, which might cause legal issues.
You can accomplish this by creating your own internal company policies. Policies and rules may also be used to control adherence to specific professional guidelines. For example, if you want to ensure that your staff aren’t using any foul language while communicating to each other, the appliance can monitor only internal conversations and email exchanges and then notify the responsible persons.
Let’s say you want to track the use of foul language in your staff’s digital communication. On Jatheon’s cloud email archiving software (Jatheon Cloud), it can be done in the following way:
- You’ll first need to create a keyword list. There are many available lists of profanity/potentially problematic keywords that you can simply copy-paste into your software.
- Once you’ve created the keyword list, go on to create a retention policy or a rule. On Jatheon Cloud, this is done through retention tags, where you’ll be able to define the tag name (Profanity), the time when the emails can be deleted (here it’s set to indefinitely, which means that they will remain in the archive forever), and specify the date range.
- If you’re scanning for curse words in the entire email (subjects, message body, and attachments), you can choose the Message criterion under Retention Search Term, and then choose the keyword list you’ve created. Confirm by clicking the Save button.
- You’ll then be able to see the list of all retention tags you have created so far, including Profanity.
Your email archiving solution will then automatically retain emails that match the policy, scan all outgoing, incoming and internal messages for these keywords and notify admins or compliance officers in case a rule is broken.
Other practical examples of proactive monitoring through retention policies can be the scanning of electronic communication for credit card or social security numbers.
5. Be consistent, inform your staff and enforce your policy
It is of key importance that the email retention rules are applied across all departments and at every level of the business. Email retention policy only works if it’s applied to the whole business.
Once you have an email retention policy in place, you need to make sure all of your employees are aware of it. Communicate the rules directly to the staff and include the retention policy in the staff handbook for new hires. Remember to review the policy every once in a while and adapt it as needed.
When you have a policy and an informed workforce, you need to ensure that the policy is followed. That means that email retention needs to be monitored at all levels, with responsibility placed upon individuals to manage sections of the company.
Jatheon is a global leader in data archiving, compliance and ediscovery with 17 years of experience with on-premise archiving and a new, latest-generation cloud email archiving solution. If you’re looking to retain all vital business records under one roof, see how our cloud archiver can help manage enterprise records compliantly.Originally published at https://jatheon.com on February 1, 2021.
