Article

Email retention policy key to compliance

Antony Adshead, UK bureau chief, storage

An  email retention policy can help organisations efficiently use and store email, and is a necessary part of a legal compliance program. When creating a records retention policy for your company's email, you should start with the following five steps.

1. Find out how employees in different departments use email. How do they access old emails? Do they create personal archives? How could email be organised so that everyone could do their jobs more efficiently? Asking these questions is a critical first step that will help you put in place procedures that facilitate productivity rather than impede it.

2. Create a policy group with members from all major areas of the company. This oversight committee will help generate the email retention policy and ensure that all departments, as well as their particular requirements, will be represented.

3. Determine which regulatory or legal factors your business is subject to. U.K. regulations that can potentially affect email retention include the following: the U.K. Freedom of Information Act (FOIA), which dictates that public sector bodies must be able to supply on-request copies of "recorded information," even if they were generated before FOIA was put in place; the Data Protection Act, under which a member of the public can request information held about them; and the U.S.-based Sarbanes-Oxley Act, regulations that apply to data containing company financial information for NASDAQ- and NYSE-listed businesses and their U.K. subsidiaries.

There are also industry-specific regulations, such as those enforced by the Financial Services Authority or The Law Society. Controls vary, but generally they stipulate standards of retention, protection and confidentiality, while also obliging businesses to make information available. Added to this is the  legal discovery of email , the timescales of which are decided by individual courts. You should consult your company lawyer to determine the scope of your email retention policy.

4. Outline email retention and deletion dates, instructions for potential litigation holds. Make sure the information technology group knows what data is being stored, where it's located, how long they must archive it and how to retrieve it when needed. There should also be a formal procedure in place for responding to litigation hold requests (perhaps through a compliance officer) and communicating that information to everyone involved.

5. Enforce the email policy. There two main ways to enforce an email archive policy: through manual procedures or using an automated email archiving system. Manual procedures require step-by-step email retention instructions that employees must follow, as well as training classes. Because they're dependent on humans, however, manual procedures are less than foolproof. For this reason, automated email archiving systems are gaining in popularity as they ensure policy enforcement and raise employee productivity. You'll have to communicate any new email retention policy to employees, implement any necessary training and state the consequences if the new policies aren't adhered to.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy