You should check whether you still need personal data after the expiry of a standard retention period and delete or anonymize it, unless there is a clear justification for longer retention. Automated systems can mark records for review or delete information after a predefined period of time. This is especially useful if you have multiple records of the same type. Automated data retention could have been a life-saving grace for Tuckers – In a statement, Tuckers explained to the Commissioner during the investigation that; “The data accessed was located in locations that were not managed proactively enough to ensure that data that was still stored outside of our retention periods was then deleted. When in doubt, don`t destroy the original! When in doubt, play it safe and keep the original emails. The likelihood of getting into trouble due to excessive retention is usually outweighed by the prospect of destroying potentially important evidence. There are 2 major data retention laws in the UK: the Data Protection Act (DPA)/GDPR and the Freedom of Information Act. Taking a closer look at these laws, we will attempt to answer the most common questions about data retention requirements in the UK and whether data archiving is mandatory. Further reading – document management and retention schedules We have a policy with standard retention periods where possible, in accordance with ☐ documentation requirements. Overall, we see many conflicts of interest when it comes to an individual`s privacy and the need to retain certain communication data, which only underscores the need to carefully review all relevant regulations that apply to a particular organization or company and to engage a legal expert when designing data retention policies.
A company needs to create a clear matrix that uniquely identifies different categories of email and data and defines an exact retention policy for each category. The law also allows people to request copies of any personal data held about them, including emails about them. Upon request, a company has 40 days to comply with the requirements. This is one reason to consider a forced deletion policy when email archiving is not regulated or required. These don`t go so far as to tell your customers how long to keep emails, but they do provide the guidelines around which they can develop their own approach. Many people using Microsoft 365 will feel like they have all of this covered by the fact that they`re using a cloud service. Of course, this is not true, this data is not secured in such a way as to be accessible to users and therefore unsuitable for the implementation of an ERP system. To provide eDiscovery, retention, compliance, and visibility, Office 365 requires E3 with add-ons or E5 licenses for each user, including shared, inactive, former and legacy users. MailMeter works with any license, so you only pay for the license you need. Learn more about Office 365 email archiving with Waterford Technologies Several large industries are heavily regulated in the United States, and various state and industry-specific laws and regulations (FINRA, SEC, GLBA, SOX, FOIA, FERPA, and others) provide guidelines for the retention and destruction of email and other electronic communications records. With the increasing amount of data collected by businesses today, it`s no wonder that creating and enforcing a robust data retention policy is essential.
However, due to the rapidly changing threat landscape and new privacy laws and regulations, it can be difficult for organizations to know what email data they need to keep and for how long. Manual implementation is simply a non-runner. For more detailed checklists and practical retention tips, please use the ICO Self-Assessment Toolkit – Records Management Checklist An email retention policy defines how long an organization should keep messages in an appropriate archiving system before they are automatically deleted. Here are some basic rules and steps when creating a data retention plan: Under the EU Data Retention Directive, it would be mandatory for EU Member States to keep citizens` communication data (phone records, SMS, emails and web data) for 6 to 24 months, depending on the type of record. However, the directive was annulled by the Court of Justice of the European Union in 2014 for violating fundamental human rights. Similarly, the UK`s Investigatory Powers Act would give authorities “the power to access huge databases of personal telephone and computer data”. It`s not just the consequences for the business of losing emails, at some point it`s inevitable that most companies will engage in some form of litigation and need evidence to back up their position or increasingly have to respond to an eDiscovery request. Today, companies rely on data to support their business processes. Email is the most common form of corporate communication, and reliable access to email determines business continuity Whether it`s the federal government, healthcare, financial services, manufacturing, hospitality, retail, telecommunications, or education, there are sensitive resources that malicious hackers can and will easily steal. It is also recommended that you periodically review your retention of personal data beforehand, particularly if the standard retention period is long or may have a significant impact on individuals. Email archiving and eDiscovery isn`t just a technical challenge. Industry laws, regulations, and best practices establish a complex framework of rigid guidelines and rules that organizations must adhere to when retaining email records.
What laws and regulations should UK businesses consider when creating a corporate email retention policy, and how do these rules affect their policies? To meet documentation requirements, you should, to the extent possible, establish and document standard retention periods for different categories of information you hold. It is also advisable to have a system in place to ensure that your organization adheres to these retention periods in practice, and to review retention at reasonable intervals.