Problem solve Get help with specific problems with your technologies, process and projects.

Email retention policy: A step-by-step approach

Email retention and archiving expert Bill Tolson offers his advice on how to create an email retention policy.

Can you offer a step-by-step approach to creating a records retention policy for email? What are the most important things to consider?

When creating a records retention policy for your company's email, you need to take several things into consideration.

First, the mistake most companies make when creating an email retention policy is not involving all areas of the company in the construction/review process. An email retention policy is not just a legal document, it will effect employee productivity company-wide. So, the first step is to create a policy group with representatives from all major areas of the company. It is important that you understand how employees use the email system. Do they create their own personal archives? How often do they reference old emails? Understanding these things will ensure you don't put in place procedures that will adversely affect employee productivity.

Second, you need to understand what regulatory or legal factors you are subject to. Is your company in a heavily regulated industry that has existing data retention requirements? For example, banks and other financial institutions have data retention requirements under the Gramm-Leach-Bliley Act, brokers and traders have data retention requirements under the SEC and NASD regulations, hospitals and other medical institutions need to worry about regulations under HIPAA and all publicly traded companies in the U.S. have data retention requirements under Sarbanes-Oxley. These regulations all have retention requirements which include email. Legal considerations mainly revolve around your company's current legal status, i.e., are you in the midst of a court case which could include discovery of company email. It is always best to have an email retention policy in place before legal proceedings.

Third, you need to decide how you will enforce the email retention policy. Are you planning to put an automated email archiving system in place, or will you rely on manual procedures? If you will rely on manual procedures, you will need to include step-by-step email retention instructions that employees can follow and employee training to ensure the policy enforcement. In most cases, an automated email archiving system will ensure policy enforcement and raise employee productivity.

Also, you must communicate the new policy to the employees. Employee communication and training can lower your compliance and legal liability.

Lastly, a good email retention policy should have the following topics:

  1. Effective date
  2. Last change date and changes made
  3. Person or department responsible for the policy
  4. Scope/coverage
  5. Purpose of the policy
  6. Policy statement: This can include a company philosophy statement about the business/legal/regulatory reasons for records retention
  7. Definitions
  8. Responsibilities
    • Procedures
  9. Other retention policy guidelines
    • Duplicate copies/convenience copies
    • Consequences if the policy is not followed
  10. Appendix A: Litigation hold/stop destruction policy including a backup procedure

Do you know…

The benefits of CAS for email archiving?

Dig Deeper on Archiving and backup