In the age of electronic communication most people find it impossible to go a day without email. In the workplace email is a valuable tool, not just for communication, but also for recording information and exchanges. But dangers lurk in the deep recesses of servers that store all that communication, and in the case of a workplace investigation what is and isn’t there can come back to haunt a company that hasn’t taken the right steps to preserve and delete.
Knowing what and how to delete electronic communication is critical, yet many companies don’t have a clue. The answer lies in an Email Retention Policy: a document that describes the company’s guidelines for retaining and destroying emails.
What’s in an ERP?
An Email Retention Policy typically includes:
- a retention schedule for employees to easily integrate into their routines
- a set timeframe for how long emails will be stored
- explicit directions for what information should be kept and what information should be destroyed.
- information about the way in which the data is kept and where.
An effective Email Retention Policy must be easy to understand, so that employees will have no problems implementing it.
Why You Need an ERP
The Email Retention Policy defines which data needs to be preserved and for how long: Some companies face industry regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), SEC, Sarbanes Oxley (SOX), and Gramm-Leach-Bliley Act (GLBA), that require them to retain electronic data for a certain period.
In addition to regulatory compliance, certain data might be important for the company and must be retained for internal reasons.
Why Delete Data?
The Email Retention Policy also defines which data does not need to be retained. If certain data is not important the company does not want to store this data. The reason for this is two-fold:
- Storing data costs money and can slow down systems. A mail server was not designed as a storage system; it was designed as a communication system. Mail servers that have large message stores are slower to search through, backup and restore. It does not make sense to suffer these consequences for data that is not important.
- The more data you have, the longer an eDiscovery search will take on a court order and the more costly it will be. If a US company faces a lawsuit, they will need to comply with the eDiscovery rules from the Federal Rules of Civil Procedure (FRCP). Although according to the FRCP it is up to the company to decide for how long to store data, there must be a clear retention policy in place that states which data is retained, for how long and by what means. It is important that these guidelines are adhered to, so that if any destroyed data is ever requested as evidence, the company is able to prove that it was destroyed according to company guidelines, and not to cover up evidence.
FREE Investigation Report Template
Prepare thorough, consistent investigation reports with our free report template.Download Template
Set It, but Don’t Forget It
Unfortunately Email Retention Policies are far from set-it-and-forget-it programs. Compliance regulations constantly change and implementation problems may arise at any time.
Although it might be daunting to create an Email Retention Policy, don’t be discouraged. Create an email retention team involving members from IT, Legal, Compliance and Human Resources and start by documenting the company’s retention needs and requirements. Once the email retention requirements are clear, discuss how these can be achieved. This will usually be a combination of employee guidelines as well as implementing an email archiving solution.
Taking the time to ensure you have an effective Email Retention Policy will save you hours of sleep lost to worrying about the monsters lurking on your servers.