July 02, 2024 by Bojana Krstic

Effective Email Retention Policy Best Practices for Staying Compliant

Despite the increasing prominence of other communication methods, email still plays a central role in modern business. It’s used to share information, discuss decisions, send business documents, and communicate changes. This brings us to the issue of email retention — emails are important documents that need to be retained just like any other business record.

Organizations use email archiving solutions to ensure that their emails are retained in accordance with relevant legal and regulatory requirements.

However, additional measures are necessary to maintain email record compliance. A key component is establishing a comprehensive email retention policy.

To help you understand email retention requirements and stay compliant with all the relevant privacy and data-retention regulations, this blog post will cover:

  • What is an email retention policy, and why it’s essential to implement it
  • How long your organization should keep emails archived
  • Key email retention policy best practices
  • What are the repercussions of non-compliance

What Is an Email Retention Policy?

An email retention policy is a company policy that defines how long email messages have to be retained before they are permanently deleted. These policies are based on a set of specific government regulations that differ across different industries. By adhering to these policies, companies can ensure they comply with federal and industry regulations and efficiently manage their data.

A company can have multiple email retention policies, as well as separate email deletion and archiving policies. These policies can even differ in how long emails are retained or have different rules for different departments.

Defining how long your company will keep email communication can prove more challenging than you initially thought.

The Importance of Email Retention Policies

There are many reasons to implement an email retention policy in your organization. Some of them are:

  • Legal compliance. As most organizations need to comply with state and federal laws, email retention policies safeguard you against legal vulnerabilities. They ensure you are compliant with data protection laws and won’t get penalized.
  • Legal investigation. Email plays a significant role in any legal dispute as it is the most used communication channel. A well-structured policy allows you to retain important emails and discover them quickly.
  • Data management. Email retention policies safeguard critical business documents and other vital information from loss, ensuring efficient retrieval and organized data management.
  • Reputation and trust. Effective email management demonstrates responsibility and builds trust with customers, legal entities, and stakeholders.
  • Risk mitigation. Email retention policies minimize any potential legal and financial risks due to email mismanagement.

How Long Should Your Email Retention Policy Be?

Determining the length or timespan is a very important factor when creating an email retention policy, as it influences how much storage and resources you need and how the internal policies will be followed.

There isn’t a one-size-fits-all solution to the perfect length as it’s regulated by three key factors.

  • Legal and regulatory email retention requirements. Laws regulating how long certain emails must be retained.
  • Different industry standards. Best practices determine how long emails should be retained within a specific industry.
  • Specific business needs. Operational needs for effective communication and collaboration.

The most important factor of the three being legal regulations.

The following table outlines the major US laws and their prescribed email retention periods:

Who It Applies To Regulation/Regulatory Body Retention Period
All Industries Internal Revenue Service (IRS) 7 years
All (Government + Education) Freedom of Information Act (FOIA) 3 years
All public companies Sarbanes-Oxley (SOX) 7 years
Education FERPA  5 years
Financial Gramm-Leach-Bliley Act (GLBA) 7 years
Financial (Banking) FDIC 5 years
Financial
(Brokers, dealers, investment bankers, securities firms)
FINRA, SEC 17a-4, SEC 17a-3 6 years 
DOD contractors DOD 5015.2 3 years
Credit card companies PCI DSS 1 year
Healthcare HIPAA 7 years
Pharmaceutical  FDA 2 years
Telecommunications FCC 2 years

In the end, there are both positives and negatives to having longer or shorter retention policies.

For instance, longer retention policies allow you to keep much older emails and have better business continuity. Still, they can expose your data to unauthorized access and take up more resources.

On the other hand, shorter retention policies are cheaper to implement and maintain and reduce the chances of being caught up in legal investigations focused on emails, but they risk violating various regulations in many industries.

Now that you understand the what, why, and how long email retention policies need to be, let’s get into the best practices you should employ.

Email Retention Policy Best Practices

If you aren’t sure where to start with email retention policies, or you already have one but want to make it better, follow these best practices.

1. Create a retention policy tailored to your organization

As already mentioned, there’s not a single email retention policy you can copy that will fit every industry and keep you compliant.

The worst thing you can do is ignore creating an email retention policy and hope your employees manage their own emails and important records. You will find yourself in trouble when the need for these emails arises, and you won’t be able to restore them.

To create your email retention policy follow this process:

  1. Identify stakeholders. Determine who in your organization will be involved in creating the policy. Key stakeholders are usually representatives from legal, finance, compliance, IT, data management, and similar roles.
  2. Understand legal and regulatory requirements. Conduct research to identify specific regulations that apply to your industry and determine the length of your policy and data needed to be archived. (Refer to the above table)
  3. Define the objectives and retention period. After researching everything, outline why you are retaining emails and for how long.
  4. Classify email data. Categorize emails based on their importance, sensitivity, and regulatory implications. This classification will help in setting appropriate retention periods for each category.
  5. Create procedures. Determine how you will retain emails, where they will be archived, which software you will use, how often you will review the data, and what to do in case of breaches and data loss.
  6. Legal review. Pass your policy to the legal team for review and change it depending on the feedback.
  7. Implement the policy. Once everything is finished, it’s time to start implementing the policy in your organization and training your employees on what it means for them.

With your email retention policy created, you can move on to improving it and implementing additional best practices.

2. Utilize an email archiving solution

After defining your email retention policy, you will need to start tracking and retaining outbound, inbound, and internal email communication.

The job of controlling email access, tracking how the policy is applied, and preserving emails for a long time is very challenging. Making sure the policy is being followed is almost impossible to do manually.

That’s where email archiving solutions like Jatheon help you automate key processes and fully eliminate the possibility of human error or intentional employee misconduct.

Email archiving solutions allow you to define email retention policies based on various criteria, such as the type of data, regulations, and department preferences, and even create multiple retention policies.

Jatheon Cloud Retention

The biggest benefit is the cost-effective process of archiving emails on a cloud platform that retains them for as long as necessary and automatically deletes them after the retention period expires. This means no manual work for you after creating the policy.

Going even further beyond, software like Jatheon automatically retains emails that match a certain policy and allows you to search for emails for that specific policy, which is easy with its advanced filters.

Jatheon Cloud Advanced Search 02

3. Use email retention policies to proactively monitor communication

Your email archiving software can also help your compliance and HR teams track employee misbehavior or prevent sharing sensitive business information, which might cause legal issues.

This can be accomplished by creating internal company policies and rules that can be used to control specific professional guidelines.

For example, if you want to ensure your employees aren’t using foul language while communicating, the software can monitor conversations and notify you of inappropriate words. This can be accomplished following this process in Jatheon:

Keyword Lists screen

  • Once you’ve created the keyword list, go on to create a retention policy or a rule. On Jatheon Cloud, this is done through retention tags, where you’ll be able to define the tag name (Profanity), the time when the emails can be deleted (here it’s set to indefinitely, which means that they will remain the archive forever), and specify the date range.

New Retention Tag creation

  • If you’re scanning for curse words in the entire email (subjects, message body, and attachments), you can choose the Message criterion under Retention Search Term and then choose the keyword list you’ve created. Confirm by clicking the Save button.

New Retention Tag creation 2

  • You’ll then be able to see the list of all retention tags you have created so far, including Profanity.

Retention tags list

Your email archiving solution will automatically retain emails that match the policy by scanning emails for these keywords, and notify admins or compliance officers in case a rule is broken.

Other practical examples of proactive monitoring through retention policies can be the scanning of electronic communication for credit card or social security numbers.

4. Think beyond email retention and archiving

Although almost 63% of business professionals prefer email communication when talking about business-critical information, not all communication happens over this medium. Its dominance is waning with each generation, and it no longer serves as the sole method of communication.

This means that there’s a lot of information being passed around alternative channels like social media and mobile messages. This information is very critical for an organization to stay compliant and use it in legal cases.

It’s very important to apply your retention policies to all other communication channels your organization uses, which can be challenging as this means you need to manage more than just emails.

Luckily, there are solutions like Jatheon that help you archive all of your channels, including:

The best part is that everything is displayed in one user interface, together with your email.

This allows you to utilize email archiving features on other channels and create different policies for different communication platforms.

5. Regularly inform your staff, enforce, and update your policy

It is crucial that the email retention rules are applied across all departments and at every level of the business. An email retention policy only works if it’s applied consistently to the whole organization.

Once you have an email retention policy in place, you need to make sure all of your employees are aware of it. Communicate the rules directly to the staff and include the retention policy in the staff handbook for new hires.

As industry regulations evolve and the effectiveness of your policy may change over time, regularly review and update your email retention policy to ensure its continued relevance and efficacy.

When you have a policy and an informed workforce, you need to ensure that the policy is followed. That means that email retention needs to be monitored at all levels, and employees must be responsible for managing sections of the company.

6. Have a plan in place for legal holds

Most don’t think about them as they rarely happen, but having a plan for handling legal holds is very important to your retention and compliance.

Litigation holds require you to preserve data like emails and other communication when litigation is anticipated or pending. They are a mandatory obligation for your organization to stay compliant.

Your plan should designate responsibility, establish communication procedures for notifying stakeholders, and emphasize documentation and removal processes.

All of these procedures can be ensured and sped up with the right legal hold and ediscovery solution that can be incorporated into your email retention policy safeguarding your organization during legal proceedings and demonstrating legal compliance.

Sloppy Policies are More Common Than You Think

If you think your email retention policy is perfect, you should know that after 2012, the number of failed information requests rose to almost 30%.

Most of these problems emerged when companies faced ediscovery requests but weren’t able to comply due to poorly implemented retention policies.

Failing to comply with these requests results in huge fines, sanctions, bad reputation, and public backlash, so being prepared to handle these requests is very important.

Another fact is that almost 40% of these companies’ retained data was being kept unnecessarily, which reduced their efficiency in responding to requests and increased their costs due to the amount of data being stored.

Both of these problems could have been solved with the right email retention policy and the right archiving software.

So, revisit your email retention policy and review best practices to ensure you haven’t overlooked any important details.

Just having an email retention policy set up puts you above the 39% of US businesses that don’t even have one.

Stay compliant, speed up your ediscovery, and retain all of your business data in one easy-to-use solution for businesses of all sizes. To learn how you can easily create custom email retention policies and archive your email communication with Jatheon’s cloud archiving solution, contact us or book a demo.

Summary of the Main Points

  • Despite the popularity of new communication methods, email remains central in business for information sharing and documentation.
  • Similarly to other business records, retaining emails is critical for compliance and data management.
  • Organizations use email archiving solutions to meet legal and regulatory requirements, but comprehensive retention policies are also essential.
  • Proper retention policies protect against legal risks, support data management, and maintain organizational reputation.
  • Factors influencing retention duration include legal requirements, industry standards, and specific business needs.
  • To stay compliant, tailor your email retention policy to organizational needs, regularly update and enforce it, implement archiving solutions,
  • keep all staff informed, and ensure the policy is consistently applied and updated in line with evolving regulations.
  • Extend retention practices beyond email to other communication platforms for comprehensive compliance.

FAQ

What is a standard email retention policy?

A standard email retention policy stipulates the guidelines for how long emails should be retained before deletion. It varies by organization and industry but typically ranges from one to seven years, depending on legal, regulatory, and business requirements.

What is the federal law on email retention?

Federal laws on email retention vary by industry. Key regulations include the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act (GLBA.)

What is the legal hold in email archiving?

A legal hold in email archiving is a process used to preserve all forms of relevant information when litigation is anticipated. It ensures that emails and other communications are not deleted or altered during legal proceedings. This is critical for compliance and helps organizations manage and produce required data for discovery in legal cases.

What happens to emails after the retention policy?

After the retention policy period expires, emails are typically deleted or archived based on the organization’s policy. This process helps manage storage, maintain compliance, and protect sensitive information by ensuring that only necessary data is retained.

Read next:

Why Your Information Governance Strategy Must Start with Email

Top 5 Email Archiving Software Features

Data Retention Requirements in the United Kingdom

The Ultimate Guide to Small Business Email Archiving

About the Author
Bojana Krstic
Bojana Krstic is the Marketing Director at Jatheon, where she leads strategic initiatives and creates content on data archiving, ediscovery, and compliance. When AFK, you’ll find her in the forest, discovering new music, or exploring the Adriatic.

See how data archiving can simplify compliance and ediscovery for your organization

Book a short demo to see all the key features in action and get more information.

Get a Demo

Jatheon is a “Trail Blazer” in The Radicati Group’s 2024 Information Archiving MQ

Share via
Copy link
Powered by Social Snap