The short answer is – everyone.
You might be aware of the legislation that exists in relation to email archiving and data retention, but do you know which regulations apply to your business sector? Or what your business needs to do for best practice?
Industries such as education, healthcare, finance, legal or pharmaceuticals are subject to regulations from specific governing bodies, however nearly all companies must undertake legal compliance.
Under the General Data Protection Regulation (GDPR), organisations must create a data retention policy to state how they will process and store personal information, including electronic communications. The UK GDPR (which replaces the EU GDPR post Brexit) applies to UK organisations that collect, store or otherwise process the personal data of individuals residing in the UK.
What are the rules?
In terms of email retention law in the UK, the information required by businesses to create their email policies should be taken from the Public Records Act 1958 (PRA 1958), the Freedom of Information Act 2000 (FOIA 2000), the Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (GDPR).
The Data Protection Act’s fifth principle states that ‘(1)Personal data processed for any of the law enforcement purposes must be kept for no longer than is necessary for the purpose for which it is processed. (2) Appropriate time limits must be established for the periodic review of the need for the continued storage of personal data for any of the law enforcement purposes.’ While this doesn’t specify the length of time data should be held for, it does make businesses responsible for justifying their decisions.
The Data Protection Act 2018 states that the information must be:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
Is there a difference between retention and archiving?
Yes! Archiving is a process that allows a business to keep email messages for an indefinite period. This is useful for companies who need to comply with industry regulations, for example the FCA states that financial companies must keep information for six years and some emails must be kept indefinitely. Reliable archiving is important to avoid data deletion or corruption, particularly when evidence of compliance is called for. You can read how Vitanium helped a client with whose data had become corrupted here.
Retention, determines how long an email should remain in the system before it’s automatically deleted. This determination is influenced by laws, regulations and company policy. Vitanium’s archiving product allows you to set flexible retention policies, whereby emails can be automatically archived but removed after a set period of time.
Industry Specific Regulation
Different industries have their own regulatory bodies and businesses must comply with their own industry specific legislations. If you are not sure what these are, you should contact your industry’s governing body. For example the Financial Conduct Authority requires email records to be held at anything from five years to indefinitely depending on the business activity. Companies may also be affected by legislation from other countries in which they do business, e.g. the United States passed the Sarbanes-Oxley Act to introduce stricter financial reporting requirements.
What should you do?
- Contact the governing body or authority that regulates your industry and make sure you are clear and up to date on current regulations.
- Create an Email Retention policy that is compliant with current legislations.
- Make sure that any personal data you hold is protected in line with data laws.
- Ensure you have an email archiving solution that adheres to industry compliance and protects the data you hold.
- Plan ahead – there is always the possibility of new legislation coming into force that can be applied retrospectively. Don’t wait until it’s too late!
- Protect your company from malicious behaviour such as email deletion and ensure your email archive is tamper proof and secure.
- Train your staff to ensure full compliance with company policies.
Do you need help with Email Archiving?
At Vitanium we offer a full Email Archiving service backed up by a team of UK staff who are on hand to answer your questions. We can create a 1:1 legal copy of all your internal and external email in a central repository that will ensure the security and availability of your email data for years to come.
Please note: The information presented in this article is not legal advice. It is meant for educational and planning purposes only.