When an Employee Resigns, What Happens to Their Email?

People leave jobs, it’s a fact of life. Their office desk is cleared and re-assigned. But what is to be done with their company email account and what does that have to do with email compliance?

Some companies will have an email retention policy, others will deal with the situation when it arises, but one thing’s certain – at least some of that information will need to be accessed at a future time. This may happen for business information, unforeseen data requirements, compliance reasons or as part of a response to an ediscovery request or an HR investigation.

So the real question is – how do you handle emails when an employee leaves?

What do you do with old employee emails?

You may choose to simply delete the account, and the data that goes with it. Short-term, this is a fine solution, as you no longer need to worry about any new emails, or servers to keep the data on, but it may be a catalyst to a host of new problems.

Currently there are data retention laws in effect that require you to keep your email for a number of years (based on your industry and geolocation).

In addition to that, the employee’s old communications may be subject to ediscovery in the event of a legal case. If the required data has been deleted, your organization could be subject to fines or other severe penalties.

Here’s what you need to do when an employee leaves or is dismissed:

1. Restrict access to their mailbox

The employee should be given the time before their final date of departure to go through their mailbox and copy any necessary documents to a personal flash drive. This, of course, depends on the circumstances under which they left and your organization’s own policy about IP and confidentiality of records.

Once the employee leaves, it’s essential to reset their email password and restrict access to their email account. If this offboarding procedure is not followed, there could be data loss or date leak, with serious consequences.

2. Forward their email to an appropriate employee / manager

You can leave the mailbox status as active, but make sure you forward their email to a manager or IT. You can also include an auto-responder message explaining that the employee is no longer with the company and who would be the best point of contact onwards.

Remember that having an active mailbox incurs a monthly mailbox cost, which can be quite expensive depending on your email client and plan (e.g. Office365 E5 subscriptions are 35$ a month).

In theory, if you’re not in a regulated industry, you could delete the mailbox after one to three months, but we generally advise against complete wiping in order to preserve business information and be ready for compliance audits and litigation. This very much depends on the employee’s position and responsibilities in the company, but it’s good to have an established policy on this in order to avoid any missteps.

Remember that, based on which laws apply to you and where you operate, there could be data privacy concerns if you decide to keep former employee mailboxes active.

Email correspondence contains vast amounts of valuable information, but data retention laws are also in conflict with data protection laws, so it’s important to carefully weigh in for how long you’re going to keep records in order to have them at hand but avoid breaking any data privacy laws like the GDPR.

This recently happened in Belgium, where the local Data Protection Authority fined an SME EUR 15,000 for keeping the employee data for over 2 years and failing to abide by the foundational principles of the GDPR (data minimization and lawfulness).

3. Archive and delete the mailbox

Alternatively, you can archive the employee’s mailbox and back it up on a local server, after which the original email can be safely deleted.

After a set period of time you could get the IT department to create a backup of the existing emails and keep it on the company servers for as long as you need it. The past employee may (or may not) have access to their work email address in the meantime, and you can erase it once it has been copied. You could have a permanent, indefinite or a set timeframe on keeping the mail, making it accessible when required.

4. Use third-party email archiving to keep things simple and compliant

If you are in a highly regulated industry like education or financial services, you will need to preserve electronic records, including those of former employees, not only for business continuity purposes, but also to meet compliance requirements.

Third-party email archiving software relies on email journaling and creates a copy of all email in near real-time. The email is instantly indexed and stored, allowing you to delete everything from the mailbox and still have an archive (on-premises or in the cloud).

Such archives are fully searchable, making them the easiest way to access old communications, avoid paying for an account’s full price and stay compliant with all relevant email retention laws.

Most third-party email archiving solutions allow you to set retention policies, so (based on the employee’s role and relevant regulations), you could retain all the legacy data indefinitely or schedule retention rules for the records to be automatically deleted once the specified or mandated retention periods expire (for example, FINRA firms will need to retain all email for at least 6 years).

Staff turnover, managing email volume and compliance/legal requests are all day-to-day business occurrences. The important thing is to make sure your organization is prepared for all three.

Retaining a former employee’s emails is just one of the many benefits of an email archive. To find out more ways in which an email archive can make your life easier, you can read this article on Email Archiving Benefits: 20 Reasons to Archive Email.