How does GDPR affect email retention and archiving?

August 14 10:00 2018 Print This Article


You probably received more than a few emails from companies notifying you of changes to their privacy policy in the lead-up to May 25, 2018—the day the General Data Protection Regulation (GDPR) went into effect. The European Union drafted the GDPR to protect the personal and private data of citizens of the EU and European Economic Area and to establish a standard for data-security laws across Europe.

The GDPR defines personal data under Article 4 as “any information relating to an identified or identifiable natural person (‘data subject’).” An identifiable natural person is “one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

The GDPR also expands the jurisdiction of the EU’s data-protection laws because it applies to any company that processes the personal data of individuals who live in the EU, regardless of whether that company is actually located in the EU itself. Any company found in breach of the GDPR can be fined up to 4 percent of annual global revenue or €20 million, whichever is greater.

GDPR and Email Retention

Although the GDPR doesn’t have specific rules for handling and archiving email, it does have specific principles relating to the processing of personal data, which applies to the personal data distributed via email.

According to Article 5, personal data shall be

Processed lawfully, fairly and in a transparent manner;
Accurate and, where necessary, kept up to date;
Kept in a form that permits identification of data subjects for no longer than is necessary.
The GDPR permits the storage of personal data for longer periods as long as that data is processed for archiving purposes (though it’s important to note that the law doesn’t specify minimum or maximum periods for data retention). Businesses often overlook deleted or archived email when planning for GDPR, and failure to protect the data in email correspondence could result in a substantial noncompliance penalty.

Another important thing businesses often overlook with email is improper data erasure, which can be a major obstacle to GDPR compliance. The GDPR’s right of erasure, as outlined under Article 17, gives the data subject “the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.” For this reason, it’s imperative that you be able to access your clients’ personal data—including the data contained in emails—on a moment’s notice.

On the basis of this information, you may want to consider updating your company’s email-retention policy in addition to its privacy policy. Be sure to carefully evaluate how long you retain personal data, where you store it, how you use it (and for what purpose) and how you dispose of it. Additionally, you may way to consider investing in a system or solution that makes it easier to remain GDPR compliant.

How an Email-Archiving Service Can Help

There are a number of compelling reasons to purchase an email-archiving solution, chief among them being that it provides a place to securely store data and enables you to retrieve current and historical emails in real time using advanced search capabilities. Many businesses already use professional email archiving to guarantee state and federal regulatory compliance, prepare for e-discovery requests, and streamline the litigation process. In the event of a failure, an email-archiving solution can quickly restore data during the disaster-recovery process, safeguarding against the improper disposal of your clients’ personal information.

Some email-archiving services go the extra mile: they use role-based permissions to restrict users’ access to certain capabilities on the basis of their position in the company. This feature makes it easier to keep personal data out of the wrong hands. You can also use it to determine which users are permitted to delete emails, also protecting against improper data disposal. Moreover, some solutions enable you to customize your company’s data-retention policy on the basis of time, domain, department or email addresses to ensure it’s fully GDPR compliant.

Additional Considerations

In addition to updating your email-retention policy and implementing email archiving, you can do a few other things to help ensure your company remains GDPR compliant.

Familiarize yourself with the terms laid out in the GDPR.
Create a GDPR action plan that includes data auditing, employee education and training, and developing new security measures to prevent data breaches.
Minimize the amount of data your business retains and processes.
Review and update your company’s data-privacy policy to comply with the GDPR’s explicit-consent requirements.
Review and update your company’s email-retention policy.
Notify your clients of policy changes.
Invest in tools, such as an email-archiving service and data-security software, designed to make GDPR compliance more attainable and sustainable
The GDPR’s recent enactment is a landmark that gives consumers power over their personal information and will change the way businesses handle data, requiring them to be more mindful of how they acquire, process and distribute clients’ personal information.

The original article (and image) was originally posted here:

view more articles

About Article Author

GDPR Associates
GDPR Associates

View More Articles
write a comment


No Comments Yet!

You can be the one to start a conversation.

Add a Comment