According to statistics, 97% of all business communication goes via email. Even though this number was expected to drop drastically with the rise of tools like Skype, Slack, and most recently, Zoom, they still leave a lot to be desired when it comes to the type of information the standardized email format relays as well as the level of confidentiality and security it brings.
While organizations today are generally aware they have the obligation of preserving all types of business communication to meet various local or industry-specific legislation, many are still uncertain of the appropriate length for their email retention policy.
Additionally, the question of what to do with emails once they are no longer needed for daily operations arises on a regular basis and it is crucial that companies have a way of resolving these issues or face legal and financial repercussions.
With plenty of detail to pay attention to, creating policies that adhere to strict guidelines can prove difficult and time-consuming. That is why thorough research is needed to collect as much information as possible.
Why Retain Business Emails
Email correspondence contains sensitive information about the relevant business entities, as well as their employees and business relations. Consequently, various email compliance regulations – state and federal – require companies to keep a record of their online communications for a prescribed amount of time and in a safe manner that also allows appropriate access and controls.
Such practice is mandatory even after business collaborations are over and employees leave companies as associated communications can still be the subject of eDiscovery requests in case of potential litigations.
Therefore, to protect reputations and avoid hefty fines, companies are actively turning to implement professional email archiving solutions in their internal infrastructure and appoint organization members as responsible for overseeing and executing relevant compliance practices.
How to Determine the Retention Period
The retention period length varies in accordance with the industry and region where the company is operating since different regulatory bodies stipulate different retention conditions and lengths. However, the most important factor in determining the amount of time before a company can delete email communication is the type of information handled via this medium.
For example, for managing everyday employee matters, such as sick leave or maternity records, companies are required to formulate a three-year email retention policy, while they need to save tax information for seven years. Furthermore, all communication pertaining to shareholders’ meetings and decisions needs to be kept for a minimum of 10 years.
However, it’s general practice for companies to extend the minimum required retention period by another year so as to minimize complications down the line.
Relevant Regulatory Bodies and Legislations
There are a number of regulatory bodies and acts that provide guidelines on how long business email communications must be preserved. Depending on where you operate and in what industry will very much effect which ones would impact your operations. Here are some of them.
- Civil Procedure Rules
Should a company be unable to produce records for auditing or litigation purposes, it faces a reprimand and a fine by the court. Email compliance regulations mandate that companies always be prepared for eDiscovery.
- The Data Protection Act
The DPA states that personal data cannot be kept longer than necessary, as well as that companies must take appropriate technical action to protect it from theft and misuse. While it’s recommended that CVs and job applications be kept only with personal consent and for as long as it takes to complete the recruiting process, companies are allowed to store the information for future reference for no longer than six years and make it available for a DPA request within 40 days.
- The Sarbanes-Oxley Act
The SOX Act imposes email compliance regulations on all businesses, regardless of their size, operating in the US or listed there by which all types of electronic communication must be preserved for five years with the threat of penalty or imprisonment if tampered with.
- The Health Insurance Portability and Accountability Act
All medical institutions in the US are required under HIPAA to keep all patient records confidential while also available for future reference. This means that not only does patient information, protected health information, and attached documentation need to be relayed via secure channels, but it also must be stored in compliance with strict HIPAA guidelines regarding email archiving.
- The Financial Services Act
The financial sector is regulated by SEC Rules 17a-3/a-4 and NASD Rules 3110/3170 which stipulate that all emails containing information about trading activities must be preserved for at least six years. Additionally, some records must be kept indefinitely and made available for review within the appropriate time frame.
- Freedom of Information
Organizations from the public sector are obligated to provide access to certain records of public interest (government, local authority, education documents) upon request while creating an email retention policy and taking appropriate actions to ensure their safety.
- The General Data Protection Regulation
The GDPR specifies that all companies doing business in the EU must take measures to protect consumers’ private information such as name, biometric data, location, contact, and financial information, as well as religious and cultural background and sexuality by encrypting data so that it cannot be associated with an individual.
How to Create a Retention Policy
When going into creating a company email retention policy, the first step is to document all regulations and requirements relevant for your industry and region in order to gain awareness of any existing retention periods and type of data subject to preserving. If, however, there is no legislation for your particular sector, the safe choice is a period of seven years.
Next, it’s important to include all company employees in executing the policy, but most notable positions are:
- Compliance officer – ensures data is preserved in the legally prescribed manner
- IT manager – sets strategies and procedures for email archiving in place
- Sysadmin – implements proper archiving tools
- All employees – follow company communication guidelines and use sanctioned channels.
Additionally, choosing the right online communication tool is crucial. It needs to adhere to both your company’s and prescribed legal requirements, as well as facilitate the eDiscovery process and enable entities authorized to access (such as compliance officers) to perform their professional duties in a timely manner and with high-quality results.
Easy search of a comprehensive email archiving database, message verification and timely expunge, customizable action alerts and levels of access, as well as a wide array of integrations with other relevant systems – these are some of the most frequently coveted features in archiving tools.
Ultimately, they need to eliminate human error and fraudulent behavior, provide a stable and secure data storing environment and enable the company to conduct their business within legal boundaries.
All companies come to face litigation sooner or later, which is why having a solid email retention policy in place is a must if you are to hope for a positive outcome and avoid a fine for not producing information relevant to the case in a timely manner. Answering the question of how long to save business email communication is just one aspect of it, but one that can ultimately tip the scales in your favor.
This is why it’s important to consult all relevant legislation for requirements, establish company-wide communication rules, and implement appropriate tools for preserving all types of business correspondence.