Best Practices for Creating an Email Retention Policy

1. Put Your Email Retention Policy in Writing

First off, your policy needs to be in writing, and your attorney or legal team should be involved in the drafting process. There are email retention policy templates on the internet you can use as a starting point, but it’s important that your policy is tailored to your organization and your state’s laws.

You’re not required to make your email retention policy public, but you should keep it with your company records and review it regularly.

Does a small business really need an email retention policy?

Even small businesses can benefit from having an email retention policy. Small businesses are required to follow data privacy laws and retain employment tax records, just like larger businesses. If your business handles protected health information (PHI), you’re required to comply with HIPAA.

While most small businesses don’t have an in-house legal team, it’s highly recommended you reach out to a lawyer for help creating your email retention policy. Email retention requirements vary widely based on your industry and your state or jurisdiction, so it’s best to get expert help and make sure you’re following the law.

2. Understand the Legal Requirements for Your Organization

Depending on your organization, you may be legally required to store certain emails for a set period of time.

Keep in mind that these aren’t the only requirements for retaining emails, and you should consult an attorney to fully understand your company’s legal obligations.

3. Assemble a Diverse Review Team

Gather stakeholders and employees from across your organization to help create and review your email retention policy. It’s a good idea to get input from multiple teams, including:

• Legal and compliance teams
• IT department
• Data security and privacy teams
• Leaders and executives
• Email users from various teams

Including perspectives from across the organization helps you create an email retention policy that is legally compliant, secure, efficient, and user-friendly for employees.

4. Create Email Categories

Different types of emails require different storage practices. You don’t need to save your company newsletter for the same amount of time as an email containing sensitive client information.

Create categories for different email types and set the retention period for each category. Email categories might look like:

• Financial records
• Legal and contracts
• Employee records
• Project-related
• Non-important

The retention period for each category should be decided based on relevant laws and your business needs.

5. Use Automation

Using automation makes it easier to implement your policy, with less risk of human error. Many email hosting services, along with email archiving platforms, have automation tools that will automatically archive or delete emails after a certain period of time.

An email archiving platform is a service that can be used in combination with your email service to archive emails you want to save without taking up storage space in your inbox. The two types of email archiving are:

• Cloud-based archiving. Pay a service to store your emails in a cloud server.
• On-premise archiving. Store emails on servers that your business owns and maintains.

Most smaller businesses choose cloud-based archiving, since you can easily increase your storage capacity if needed, and you don’t need to worry about maintaining your own servers. However, if you use cloud-based archiving, make sure the service uses encryption for data security. End-to-end encryption is recommended if you need to comply with HIPAA or GDPR requirements.

6. Maintain Strong Email Security Measures

Having a policy for storing, archiving, and deleting emails is only part of the puzzle. You should also choose a secure email provider to protect your email data while it’s being stored. Essential security features include:

Encryption

SSL security is the industry-standard encryption method for protecting emails in transit. End-to-end encryption provides even stronger security, since it encrypts your emails when they’re in transit and when they’re stored on your device.

Access controls

By setting role-based access permissions, you limit the number of people who have access to sensitive emails, which reduces the risk of a security breach.

Multi-factor authentication

Setting up 2-factor or multi-factor authentication makes it more difficult for someone to hack into your account, even if your password is compromised.

Learn more about how to protect yourself from security threats.

7. Train Employees

Getting your employees to understand and adopt your email retention policy will require more than a single training session. There should be ongoing discussion and training to make sure that all employees understand the policy and feel confident about following it.

Create a channel where employees can ask questions about the policy, and don’t expect it to go perfectly right away. Changes in the workplace can be difficult and frustrating, especially when it feels like you’re simply being asked to follow another checkbox requirement. It’s important that your employee training covers why you’ve created this policy, not just how to follow it.

8. Be Prepared for Litigation Holds

Your email retention policy should also address how you’ll handle litigation holds, should one ever occur. A litigation hold is a formal notice that you must preserve all documentation, including emails, if the documents may be relevant to a legal investigation or data request. Some events that can trigger a litigation hold include:

• Lawsuits or other legal disputes involving the organization
• Data Subject Action Requests (DSARs) that must be fulfilled according to privacy laws, such as the GDPR or California Consumer Privacy Act (CCPA)
• Audits by government agencies
• Court orders
• Internal investigations

Many cloud-based archiving platforms have automation tools that can help with eDiscovery (the process of collecting electronic data related to a legal case). These tools can collect potentially relevant emails and forward them to your legal counsel.

9. Regularly Review and Update Your Policy

State, federal, and global data privacy laws are frequently changing, so it’s important to review your policy regularly to make sure it’s still in line with the law. Plan to review and update your email retention policy at least once a year. Don’t forget to inform your employees of any changes.

Why Set Email Retention Limits?

Even beyond the fact that setting email retention limits is often legally required, there are other reasons why it’s a good idea to limit the amount of emails you leave in your inbox:

• Storage limits. Without retention limits, your email could eventually run out of storage, at which point you’ll need to either delete emails, archive them with a cloud-based archiving platform, or get more storage space.

• Litigation risk. Holding on to many years of email data is a liability. If someone hacks into your email and steals customer information, those customers could sue your company. By deleting sensitive emails once your company no longer needs them, you reduce this risk.
• Sustainability. When companies store massive amounts of data, all that digital storage space takes energy to maintain. Setting email retention limits can help you reduce your business’ carbon footprint and meet your environmental goals.

Northwest offers secure, ad-free professional email service to help you safely manage your business emails.

Get Secure Professional Email