How will GDPR Affect Email Retention?

Updated: Jan 13, 2021

How GDPR will affect email retention

Introduction to GDPR

Corporates with operations across multiple geographies need to be aware of various policy compliance from keeping the business out of legal hassles. The General Data Protection Regulation (GDPR) is a Regulation of the European Union that protects natural persons (called data subjects) regarding the processing and free movement of their personal data.

This regulation has laid out very strict norms on how private information of individuals should be handled and processed. The GDPR is applicable globally and was enforced on the 25th of May 2018. This regulation has made the data and internet companies re-invent their data management strategy.

When it comes to corporate data, an email system comes in the purview without saying. Today, email has become the lifeline of any organization due to the simplicity, flexibility, and integrity it offers for the company’s internal and external communications.

What is Email Retention?

With Email becoming the main channel of communication, its security, stability and storage should be given high priority in the organization management. Therefore, an Email Retention Policy must be framed to ensure continuity in the company – client communications.

An email Retention Policy defines aspects such as employee email storage, usage, retrieval of ex-employee email data and deletion of the same. The benefits which come in after implementing a robust Email Retention Policy are the cost optimization of data storage, approval process optimization for accessing the email archives, and permissions for sharing emails, amongst others.

So how is GDPR and Email Retention correlated?

The HR Manager of the company, the IT Manager and the newly appointed “Data Protection Officer” will have to closely work to make sure the “Email Retention Policy” is updated and operational.

The GDPR compliance requires that the data should be processed and controlled only with the consent of the data subjects. It also requires that the data should be deleted securely once its life has maxed out. Emails often contain personal data – and that means organizations must manage backup and archived copies of the emails very meticulously.

Most of the existing systems are tape based and therefore the recovery of the email is very difficult and time consuming. The systems should be such that the retrieval of old data should be easy and faster. The search should take less time.

Today, cyber attacks and cyber crime are on the rise. In a Phishing Attack for example, the hackers entice the users into downloading a file or re-direct the user to a web link. When the user downloads the attachment or clicks on the web-link, the hackers are able to access the information and files in the user’s email box. In this way, precious data like usernames, passwords, bank details, medical documents, etc is stolen and may lead to financial losses.

Compliance with GDPR ensures that the “Email Retention Policy Template” is well defined, also taking into consideration the cyber attacks. In addition, it sensitizes the employees about privacy, in terms of, identifying the suspicious links, setting passwords with “high strength”, not sharing passwords, and taking a back up of emails periodically on a central server or a cloud.

The GDPR lays out a road map to protect an organization from malicious URLs, attachments, phishing and other such common attacks that compromise customer data.

Under the GDPR, companies are required to automatically encrypt emails that contain sensitive personal data like credit card and bank details, insurance and health reference numbers and other types of data that could be accidentally, inappropriately or inadvertently shared. This ensures that an organization is not at risk of losing sensitive information and saves the company from any kind of legal exposure.

Just like obtaining affirmative consent from the data subjects is mandatory, according to GDPR, the data subjects must be notified in 72 hours of any security breach through an email.

“Email Archiving Solution” as a part of the “Email Retention”

Conventionally, Email Archiving process consists of Local Backups, Backup Rotation, Backup Copies, Process Checks, Storage Quota, Local Searches, IT help desks and support. On-premise backups copy your data to a storage device located on your location. This process can be manual or automatic. The storage devices can be stored onsite for quick access or physically moved offsite afterwards for maintaining the archives. This means they have to be retrieved to the office location in order to start data recovery. Such a setup is exhaustive, cost intensive and time consuming.

Cloud backups can take minutes to hours before a business’s data is fully recovered and ready for work, due to it being readily available at all times by way of the internet. Cloud back ups are cutting edge solutions which consists of Automation, Guaranteed Stability, Elastic Storage, E-discovery and Self help or a Do-it-Yourself mechanism.

Solutions like Vaultastic, the cloud email archiving service from Mithi, manages the growth in your storage seamlessly, ensures extreme durability for the data and provides end users direct access to their tamper proof vaults with an e-discovery panel to simplify email management.