How to craft a watertight email retention policy

Danny Bradbury

Information has a lifecycle. It’s born, it grows old, and sometimes, it dies. Companies that control that process can put themselves ahead of the pack, minimizing their risk and maximising their visibility. It all rests on a policy for email retention.

Without an effective email retention policy, a company will not have a clear understanding of what information is held and where, this can have an impact in three distinct areas: Industry regulations; legal concerns; and knowledge management.

The consequences of these can vary, but the most obviously damaging is legal. Companies may need to find information long since buried in emails, for legal purposes. A lawsuit may spark a discovery process that calls for information to be presented to attorneys. If a company cannot recall what information was sent in an email, it will find itself at a legal disadvantage.

A company that doesn’t take the time to create an email retention policy can suffer other consequences, too. Information may end up floating around the IT system in a variety of formats, such as backups of PST files created by individual users. Not only does this lead to inefficient storage, but should these make their way out of the company via USB drives, for example, it could lead to embarrassing leaks.

Best practices for email retention

So what do you need to know, either as a managed service provider (MSP) or an IT admin, to establish a solid email retention policy?

Essentially, an email retention policy will need to include a description of at least three things:

  • Content type - What kinds of content should you archive? Compliance officers might decide that only invoices need to be retained, for example, or that all electronic communications with customers must be kept. Do you need to archive emails from all employees, or only those in specific roles?
  • Retention period - Different kinds of content from different sources may need to be retained for different lengths of time.
  • Disposal - The information in retained emails may be sensitive. A comprehensive policy should define what happens to that email at the end of the retention period, and how it is disposed of.

Of course, each email policy will look different and be tailored to the needs of the company in question. There are several steps that MSPs and IT departments need to work through before finalizing the rules, though.

Three steps to email retention

The first step is to define the regulatory baseline. Aside from general legislation in a particular company’s jurisdiction, there may also be regulatory requirements that dictate how its information is stored. Understanding minimal mandatory retention times for emails will ensure that the policy at least meets the compliance requirements.

The second step is to classify email content. This can be done in automated ways, by referencing an employee’s role or department, for example. Should a more sophisticated approach be necessary, employees could themselves be asked to classify email content – although this requires a certain level of employee co-operation, making the whole project more complex.

Whether or not you work with users to classify their own emails, they should still be involved in the process. When putting a retention policy together, a key best practice is to include the different areas of a company when creating it. Interview employees across different roles and departments to understand how they currently manage their email. They may have particular productivity requirements that will affect the mechanics of an email retention policy. For example, if some employees refer to old emails more often than others, it could influence retention policies for their particular department or role.

Finally, ensure that the policy is properly communicated and enforced; this includes making sure the retention document is clearly laid out, and also that it is communicated as part of the company’s employee induction process. Consequences for not following the policy should be detailed, and key stakeholders should be identified and made responsible for adherence to it.

More advanced tools provide automated email archiving, eliminating or at least reducing the manual processes involved in email retention. The more automation that can be introduced, the more likely it is that email retention will be consistent and accurate companywide. The larger an organization becomes, the more important that will be.