Despite the increasing prominence of other communication methods, email still plays a central role in modern business. It’s used to share information, discuss decisions, send business documents and communicate changes. This brings us to the issue of email retention – emails are important documents which need to be retained just like any other business record.
Organizations use email archiving solutions to ensure that their emails are retained in accordance with relevant legal and regulatory requirements.
But there are other measures that need to be taken to keep email records compliant. A key one among them is an email retention policy.
What Is an Email Retention Policy?
An email retention policy is a company policy that defines how long email messages have to be retained before they are permanently deleted. These policies are based on a set of specific government regulations which differ across different industries. By adhering to these policies, companies can ensure they are compliant with federal and industry regulations and are efficiently managing their data.
A company can have multiple email retention policies, as well as separate email deletion and archiving policies. These policies can even differ in how long emails are retained or have different rules for different departments.
Defining how long your company will keep email communication can prove more challenging than you initially thought.
The Importance of Email Retention Policies
There are many reasons to implement an email retention policy in your organization. Some of them are:
- Legal Compliance – As most organizations need to comply with state and federal laws, email retention policies safeguard you against legal vulnerabilities. They ensure you are compliant with data protection laws and won’t get penalized.
- Legal Investigation – Email plays a big role in any legal dispute as it is the most used communication channel. A well-structured policy allows you to retain important emails and discover them quickly.
- Data Management – With so much information in emails like critical business documents, retention policies ensure they can’t be lost and can be found easily.
- Reputation and Trust – An organization that manages its email communications responsibly earns trust from its customers, law, and stakeholders.
- Risk Mitigation – Email retention policies minimize any potential legal and financial risks due to email mismanagement.
How Long Should Your Email Retention Policy Be?
Determining the length or timespan is a very important factor when creating an email retention policy as it influences how much storage and resources you need and how the internal policies will be followed.
There isn’t a one-size-fits-all solution to the perfect length as it’s regulated by three key factors.
- Legal and regulatory requirements – Laws regulating how long certain emails must be retained.
- Different industry standards – Best practices determine how long emails should be retained within an industry.
- Specific business needs – Operational needs for effective communication and collaboration.
The most important factor of the three being legal regulations.
In the below table, you can take a look at the major US laws and their prescribed email retention periods:
|Who It Applies To||Regulation/Regulatory Body||Retention Period|
|All Industries||Internal Revenue Service (IRS)||7 years|
|All (Government + Education)||Freedom of Information Act (FOIA)||3 years|
|All public companies||Sarbanes-Oxley (SOX)||7 years|
|Financial||Gramm-Leach-Bliley Act (GLBA)||7 years|
|Financial (Banking)||FDIC||5 years|
(Brokers, dealers, investment bankers, securities firms)
|FINRA, SEC 17a-4, SEC 17a-3||6 years|
|DOD contractors||DOD 5015.2||3 years|
|Credit card companies||PCI DSS||1 year|
In the end, there are both positives and negatives to having longer or shorter retention policies.
For instance, longer retention policies allow you to recollect much older emails and have better business continuity. Still, they can expose your data to unauthorized access and takes up more resource.
On the other hand, shorter retention policies are cheaper to implement and maintain and reduce the chances of being caught up in legal investigations focused on emails, but they risk violating various regulations in many industries.
Now that you understand the what, why, and how long email retention policies need to be, let’s get into the best practices you should employ.
Email Retention Policy Best Practices
If you aren’t sure where to start with email retention policies, or you already have one but want to make it better, follow these best practices.
1. Create a retention policy tailored to your organization
As already mentioned, there’s not a single email retention policy you can copy that will fit every industry and keep you compliant.
The worst thing you can do is ignore creating an email retention policy and hope your employees manage their own emails and important records. You will find yourself in trouble when the need for these emails arises and you won’t be able to restore them.
To create your email retention policy follow this process:
- Identify Stakeholders – Determine who in your organization will be involved in creating the policy. Key stakeholders are usually representatives from legal, finance, compliance, IT, data management, and similar roles.
- Understand Legal and Regulatory Requirements – Conduct research to identify specific regulations that apply to your industry and determine the length of your policy and data needed to be archived. (Refer to the above table)
- Define the Objectives and Retention Period – After researching everything outline why you are retaining emails and for how long.
- Classify Email Data – Categorize emails based on their importance, sensitivity, and regulatory implications. This classification will help in setting appropriate retention periods for each category.
- Create Procedures – Outline how you will retain emails, where they will be archived, which software you will use, how often you will review the data, and what to do in case of breaches and data loss.
- Legal Review – Pass your policy to the legal team for review and change it depending on the feedback.
- Implement the Policy – Once everything is finished it’s time to start implementing the policy in your organization and training your employees on what the policy means for them.
With your email retention policy created, you can proceed to improve it and implement even more best practices.
2. Utilize an email archiving solution
After defining your email retention policy, you will need to start tracking and retaining outbound, inbound, and internal email communication.
The job of controlling email access, tracking how the policy is applied, and preserving emails for a long time is very challenging. Making sure the policy is being followed is almost impossible to do manually.
Email archiving solutions allow you to define email retention policies based on various criteria like type of data, regulations, and department preferences, and even create multiple retention policies.
The biggest benefit is the cost-effective process of archiving emails on a cloud platform that retains them for as long as necessary and automatically deletes them after the retention period expires. This means, no manual work for you after creating the policy.
Going even further beyond, software like Jatheon automatically retains emails that match a certain policy and allows you to search for emails for that specific policy which is easy with its advanced filters.
3. Use email retention policies to proactively monitor communication
Your email archiving software can also help your compliance and HR teams track employee misbehavior or prevent the sharing of sensitive business information, which might cause legal issues.
This can be accomplished by creating internal company policies and rules that can be used to control specific professional guidelines.
For example, if you want to ensure your employees aren’t using foul language while communicating, the software can monitor conversations and notify you of inappropriate words. This can be accomplished following this process in Jatheon:
- You’ll first need to create a keyword list of inappropriate words. Here’s a list of common foul words that you can copy-paste into your software.
- Once you’ve created the keyword list, go on to create a retention policy or a rule. On Jatheon Cloud, this is done through retention tags, where you’ll be able to define the tag name (Profanity), the time when the emails can be deleted (here it’s set to indefinitely, which means that they will remain in the archive forever), and specify the date range.
- If you’re scanning for curse words in the entire email (subjects, message body, and attachments), you can choose the Message criterion under Retention Search Term, and then choose the keyword list you’ve created. Confirm by clicking the Save button.
- You’ll then be able to see the list of all retention tags you have created so far, including Profanity.
Your email archiving solution will automatically retain emails that match the policy by scanning emails for these keywords, and notify admins or compliance officers in case a rule is broken.
Other practical examples of proactive monitoring through retention policies can be the scanning of electronic communication for credit card or social security numbers.
4. Think beyond email retention and archiving
Although 61% of employees prefer email communication when talking about business-critical information, not all communication happens over email. Note the number of people using email as the only form of communication is decreasing every generation.
This means that there’s a lot of information being passed around alternative channels like social media and mobile messages. This information is very critical for an organization to stay compliant and use it in legal cases.
It’s very important to employ your retention policies to all other channels your organization uses for communication which can be challenging as this means you need to manage more than just emails.
Luckily, there are solutions like Jatheon that help you archive all of your channels including:
And the best part, everything is displayed in one user interface together with your email.
This gives you the option to utilize email archiving features on other channels and create different policies for different communication channels.
5. Regularly inform your staff, enforce, and update your policy
It is of key importance that the email retention rules are applied across all departments and at every level of the business. Email retention policy only works if it’s applied to the whole business.
Once you have an email retention policy in place, you need to make sure all of your employees are aware of it. Communicate the rules directly to the staff and include the retention policy in the staff handbook for new hires.
Remember that things can change, be that in the industry, or your policy isn’t working as well as you thought it would. Review your policy regularly and adapt it as needed.
When you have a policy and an informed workforce, you need to ensure that the policy is followed. That means that email retention needs to be monitored at all levels, with responsibility placed upon individuals to manage sections of the company.
6. Have a plan in place for legal holds
Most don’t think about them as they rarely happen, but having a plan for handling legal holds is very important to your retention and compliance.
Litigation holds require you to preserve data like emails and other communication when litigation is anticipated or pending. They are a mandatory obligation for your organization to stay compliant.
Your plan should designate responsibility, establish communication procedures for notifying stakeholders, and emphasize documentation, and removal processes.
All of these procedures can be ensured and sped up with the right legal hold and ediscovery solution that can be incorporated into your email retention policy safeguarding your organization during legal proceedings and demonstrating legal compliance.
Sloppy Policies are More Common Than You Think
If you think your email retention policy is perfect you should know that after 2012, the number of failed information requests rose to almost 30%.
Most of these problems arose when companies faced eDiscovery requests but weren’t able to comply due to poorly implemented retention policies.
Failing to comply with these requests results in huge fines, sanctions, bad reputation, and public backlash, so being prepared to handle these sorts of requests is very important.
Another fact is that almost 40% of retained data by these companies were being kept unnecessarily which reduced their efficiency in responding to requests and increased their costs due to the amount of data being stored.
Both of these problems could have been solved with the right email retention policy and the right archiving software.
So, think again about your policy, and go back and look through email policy best practices again as you might be missing something and not even noticing it.
Just having an email retention policy set up puts you above the 39% of US businesses that don’t even have one.
|Easily create custom email retention policies and archive your email communication with Jatheon’s cloud archiving solution. Stay compliant, speed up your ediscovery, and retain all of your business data in one easy-to-use solution for businesses of all sizes.|