How to create an email retention policy

/ Technical
Last updated on April 15th, 2020

Email retention policies are all about decreasing the risk to your company. But for a truly successful policy, you need to strike the balance between a retention period which is too long and keeps useless mail around and one which is too short and loses mail that was important.

how to create an email retention policy

Your policy needs to take into account any applicable legal or industry regulations whilst not going overboard trying to store every email indefinitely. If your company does not yet have an email retention policy then it’s certainly worth drafting one, and here are five best tips to get you started.

How do I create an email retention policy?

1. Start with the regulatory minimums

Every business will be subject to different regulations, so the first thing you should do when creating your policy is to review the regulations your company is subject to and the relevant document retention requirements involved in each one. Some regulatory bodies you may need to consider include:

  • The Data Retention Regulations 2009
  • Freedom of Information Act
  • Financial Services Act
  • Sarbanes-Oxley Act (for US-related firms)
  • The Data Protection Act 1998

If the retention period is unknown then six years is often the common safe denominator. This is because it’s possible to bring a breach of contract up to six years later. If your business is concerned about particular records then you should seek legal advice.

2. Segment your data by type of use

Once you have the regulatory minimums you will notice that the recommended periods vary widely. With this in mind, you may wish to segment emails by type, use or department to prevent having to store all content for the maximum retention period.

For specific documents like PAYE records, maternity pay or statutory pay it is up to employers to assess retention periods based on business needs. If an employment tribunal may require the document as evidence then a retention period of six years makes sense. If the document could be needed for HMRC reviews, then a minimum retention period of three years after the end of the tax year in which the payments were made would be necessary.

3. Draft a real policy

Creating a policy, and getting it approved by senior management and legal professionals, will give the ability and authority to implement all the IT, security and process controls you need to enforces your email retention requirements. Your policy should include the following sections

  • Purpose of the policy
  • Retention time, including any segments you are using to define the retention periods. Durations are often listed as years or may be permanent
  • Difference between paper and electronic documents – although ideally there should be none
  • What constitutes destruction (e.g. shredding, deleting, overwriting, degaussing of media

You do not have to include specific technologies and processes, but it is a good idea to refer to capabilities and requirements (e.g. offsite archival). You should also omit areas you will not or can not support, such as types of segmentation you are unable to determine or support. If you haven’t seen a full retention policy before there are plenty of examples online for you to reference.

4. Review the preferred solutions

Once you have the main points of your policy established, you can estimate your minimum requirements for a solution based on the number of users, the expected volume of email and the expected rate of growth. With this information, you may be able to loosely price out a solution, but you may also wish to obtain indicative quotes from suppliers. You should also prepare for any changes to the email retention policy which may affect your pricing e.g. the minimum retention period increases from 18 months to three years.

5. Involve legal in the policy process

If it is IT’s responsibility to draft the email retention policy, then it is important to involve legal. Whether that’s an internal legal team or an external law firm. The main reason for this is so they can review the viability of the policy and if it will meet your regulatory obligations.

Allowing legal to view the policy at this stage means you can present a unified front to the board. It also allows you to evaluate the options you have laid out, and remove any of the amendments legal have made that will drastically increase the price.

To conclude…

Given the number of different regulatory bodies and how they affect organisations, every business is likely to have an individual email retention policy. Following these best practice tips will help you to create a policy which is effective, sensible and which you can enforce.

Interested in how cloud email archiving can help your business? Try a free 30 day of QuoStar Mail Archive today

/ Technical
9 ways law firms can reduce printing costs with MDS

Do you know how much your firm spends on printing? It’s okay, most firms don’t. Even they think they do it’s pretty much guaranteed that their actual spend is a lot higher. After all, there’s a lot of hidden costs when it comes to print, which many people don’t consider. Luckily it’s easy to transform […]

/ Security
In the press: Insurers’ IT security is “inconsistent”

QuoStar CEO Robert Rutherford says that the number of security breaches that have occurred in the last year alone suggests that insurers have been inconsistent in maintaining their IT security levels. His comments come as the British Insurance Brokers Association (BIBA) announce the formation of a cyber committee at their 2016 conference. The aim of which […]

In the press: Intel’s Hybrid Ultrabooks offer hope for the PC brigade

Intel and Microsoft are hoping hybrid ultrabooks will soon be a common sight in the workplace. The former sees the format as the perfect vehicle for its Ivy Bridge chipsets. While Redmond is looking to use the format to grab a share of the tablet operating system market. With their touchscreens, intuitive interfaces, instant-on capabilities and […]