Best Practices for an Email Archiving Policy

An email archiving policy establishes how long an email should be retained before being deleted. The policy needs to be carefully governed in order to ensure it complies with industry and government regulations, and – if emails are received from contacts in Europe – the EU´s General Data Protection Regulation.

A formal email archiving policy is essential in most businesses. Those that operate in regulated industries need to show they are complying with state and federal laws, while those that communicate with contacts in Europe should implement an email archiving policy in order for easier compliance with the EU’s General Data Protection Regulation (GDPR). It is also a good idea to have a policy in place so emails are easy to trace if they are required by a court under the Federal Rules of Civil Procedure in 2006.

A formal email archiving policy prevents the informal practices of saving everything, or relying on user discretion to decide which emails should be archived. Although a “save everything” policy overcomes potential legal hold violations, it can be expensive to operate due to the volume of storage space required. A “user discretion” policy can reduce the amount of storage space required, but is subject to human error, a lack of control, and potential loss of important data when emails are deleted in error.

Best Practices for an Email Archiving Policy

Ideally, a business should have a structured email archiving policy that sets out the regulations relating to email retention that are applicable to the business, the retention times for each type of email depending on its content, and the process for deleting emails. The policy should also state who in the business is responsible for enforcing it, and any sanctions that may apply for violations of the policy. Retention times can vary considerably depending on legal requirements. For example:

  • State revenue departments often require emails containing financial records to be retained for a minimum of three years.
  • The IRS requires emails relating to tax issues to be retained for periods of between three and seven years depending on which taxes the emails relate to.
  • Under the Federal Rules of Civil Disclosure, retention times can be variable depending on the subject of the emails and each state´s Statute of Limitations.
  • If your business processes credit card payments, all email relating to card transactions have to be retained for one year under the Payment Card Industry Security Standard.
  • If your business is a HIPAA Covered Entity or Business Associate, your email archiving policy has to be retained for a minimum of six years.
  • Other HIPAA rules include that emails relating to the death of a patient have to be retained for two years, and emails relating to a child´s healthcare until the child is aged 21.

Under the GDPR, the personal data of EU data subjects can only be retained for as long as there is a “lawful basis” to do so. Once the business no longer requires the data for the purpose it was collected, the data must be deleted. Email archiving policies have to address how emails containing personal data will be indexed, archived, and deleted to comply with the GDPR. They should also cover EU citizens´ rights to access personal data and the “right to be forgotten”.

Because of the varying retention periods and GDPR rules, the best way to enforce an email archiving policy is to implement an email archiving solution that captures, indexes, and stores emails, and applies a deletion date depending on the email´s content. As emails that do not need to be archived are deleted, this saves on storage space, while indexing at the point of passing through the email server simplifies email management and accelerates data retrieval.

Choosing an Email Archiving Solution

There is a selection of email archiving solutions available to businesses, but some fail to comply with certain laws and regulations. For example, in order to comply with the Federal Rules of Civil Disclosure that insist emails presented in eDiscovery have to be accurate and immutable, an email archiving solution has to copy inbound and outbound emails in real time and have systems that prevent archived data being altered. Some email archiving solutions only copy data periodically or lack access controls.

The security of data storage can also influence a business´s choice of email archiving solution. Whereas hardware and software solutions have risks associated with them in regard to data security, data stored in cloud-based solutions has stronger mechanisms preventing theft or unauthorized alteration. Cloud-based email archiving solutions also resolve the issue of storage space and – as all the data is stored in one location, rather than on off-site media – managing and retrieving the data is much easier.

ArcTitan Cloud’s Email Archiving Solution

ArcTitan Cloud is a cloud-based email archiving solution from TitanHQ that helps business implement and enforce an email archiving policy quickly and simply. ArcTitan Cloud meets all regulatory standards for email archiving, eDiscovery and disaster recovery by copying and indexing emails in real time, maintaining them in a data center certified to IL5 standards, and ensuring they are not altered while they are in archive storage via tamper-evident access logs.

Being a native cloud-based Software-as-a-Service application, our email archiving solution is compatible with every type of operating system, mail server and email service, and is scalable up to 60,000 users. Retention periods and access controls are easy to set via the ArcTitan Cloud´s web portal; and, as emails are not stored in a proprietary format, data can be imported, retrieved, and exported in a variety of formats over encrypted channels to ensure the integrity of data in transit.

Find Out More about ArcTitan Cloud

If your business has a requirement to archive emails securely, but needs to access archived emails at short notice, speak with our team of Sales Consultants about organizing a free demonstration of ArcTitan Cloud. Our team will be happy to answer any questions you have about our email archiving solution and may be able to assist with the development of an email archiving policy depending on the nature of your business. Naturally, once the policy is developed, we will help you in any way we can to implement it. To find out more, contact ArcTitan Cloud today. Depending on your current archiving system, you could be demoing a fully-enable version of ArcTitan Cloud within fifteen minutes.