28 Jul What You Need to Know About Email Retention Policies as an MSP
As the trusted IT provider for your clients, one of the ‘perks’ of your job is that you’re the defacto go-to authority for all manner of (sometimes fairly dry) topics.
Email retention policy quite possibly ranks high on the ‘dry’ scale, but it’s a topic both you and (and they!) really do need to be aware of.
The mailboxes of your customers are rapidly growing treasure troves of useful, important and sensitive information, and that will continue to be the case for years to come.
This makes them ticking time bombs if not cared for in the right way.
It’s not just the consequences to the company of losing email either, at some point it’s inevitable most businesses will run into some form of legal dispute and either need evidence to back up their position or increasingly commonly, be required to respond to an e-discovery request.
Many organizations are reporting that the volume of litigation and regulatory requests that they face are continuing to go up. E-Discovery must be regarded like any other business process, so standardizing it and automating the parts that can be automated will yield cost benefits. – Michael Osterman, Osterman Research, Inc.
This is where an Email Retention Policy can help.
What is an Email Retention Policy (ERP)?
An email retention policy defines how long a business should retain messages within an appropriate archiving system before they’re deleted automatically.
What Should an Email Retention Policy Cover?
An ERP should ideally cover all emails sent or received by the business, defining criteria for how long they should be stored, and an agreed process for how they should be eventually erased.
A fundamental part of any email retention policy is the ability to first have a reliable means to capture messages at source, and then delete them in an automated manner that’s protected against human error to reduce the risk of breaching any applicable laws and protocols.
Do Your Customers Really Need an Email Retention Policy?
Surely this isn’t something your SMB customers need to be thinking about though?
Even the smallest of businesses tend to rely heavily on email and normally need reminding of the volume and type of information that’s held within their mailboxes, that they really should have a policy over.
- Regulatory Compliance – Most businesses have to comply with some degree of regulation that requires them to produce emails during an investigation or an audit.
- Legal Discovery – If a business is involved in a legal process, legal representatives on both sides may ask for proof of email correspondence related to a case.
- Knowledge Management – Emails not only contain general business correspondence but also include documents that are needed for future projects. A key benefit of an ERP is being able to access these knowledge-based emails even after an employee is either sacked or leaves the business.
- Information Security – Emails almost always include more confidential business data than they should, and an ERP is a piece of the puzzle to help ensure this information is protected.
- Cybersecurity – An email retention policy can also help you secure your corporate information against various cybercrimes.
Email Retention Regulations in the UK & US
Before you get into talking to your clients about having an email retention policy, it’s worth knowing which are the regulations that are applicable.
Suggested retention periods may vary considerably based on the industry you belong to and the physical location of your company but the following is a guide.
UK Email Retention Regulations
In the UK, there are no general cross-sector regulations for how long emails should be retained, unless you’re in an industry that is impacted by some specific legislation or heavily regulated by an industry body.
The primary regulations that will inform their policy decisions are:-
- The Freedom of Information Act 2000 (FOIA 2000)
- Public Records Act 1958 (PRA 1958)
- Data Protection Act 2018 (DPA 2018)
- General Data Protection Regulation (GDPR)
These all contain guidance but even post-Brexit it’s the GDPR email regulation that’s of particular relevance.
These won’t actually go as far as to tell your customers how long they should keep email for, but they do provide the guidelines around which they can come up with their own approach.
An example of this is the Data Protection Act which states “personal data processed for any of the law enforcement purposes must be kept for no longer than is necessary for the purpose for which it is processed.” So it’s not actually defining a period but suggesting companies make their own decision.
US Email Retention Regulations
Regulation that applies to companies in the US gets more specific than in the UK and Europe – below is a list of US regulatory bodies and their recommended retention periods:
Top 4 Email Retention Best Practices
Whether your clients are small businesses or large enterprises, there are the best practices to keep in mind:
- Create an Organisation-wide Email Retention Policy – To be fully prepared for any legal discovery or proceedings, businesses need to come up with a retention policy across the business with input from both you as the IT provider and potentially a legal professional.
- Know What & When to Archive – Included in the policy should be retaining email for long durations, certainly longer than the memory of staff.
- Ensure Easy Access – Email messages should be archived, indexed, and easily searchable by a business owner, preferably without your input as the IT provider, so they can be traced quickly whenever needed.
- Retain Emails When Hiring – The recruitment process is a time when your clients need to be particularly careful about retaining messages with applicants for evidence, just in case an unsuccessful applicant accuses you of unfair behaviour.
Simplify Email Retention Policy Compliance with MailStore
Many of your clients using Microsoft 365 will be under the impression they have all of this covered by nature of the fact they’re using a cloud service. That’s not right of course, this data isn’t backed up in a way that’s accessible to users and is therefore unsuitable for implementing an ERP.
To ensure compliance with email retention policies, your clients need secure, platform-independent email archiving, which reduces the risk of human error and data breach, and provides that important peace of mind there is a perfect copy of all correspondence.
Email archiving with a software solution such as MailStore enables you to keep a complete record of all incoming and outgoing emails, comply with industry regulations, and reduce the risk of losing important or sensitive conversation threads you may need at a later date.