Why is this an issue?
Email continues to be an essential communication tool, with over 4 billion users worldwide. As of 2024, approximately 361.6 billion emails are sent each day globally. (Oberlo, 2023.)
The continued reliance on email is a significant cyber security and data protection challenge due to the general lack of data retention management when it comes to managing the size of users inboxes.
A typical inbox size is 50Gb which if breached, is bound to have a very large amount of personal data. Also, if the inbox is in scope for a Data Subject Access Request (DSAR), this can result in considerably more time and effort to assess the data and respond accordingly.
Why is your email inbox a risk?
What do we mean by data retention?
Data retention is where organisations store data that they use in their day-to-day operational activities. For example, they may store customer records for many years if they assess that this is needed for business purposes.
While data protection legislation (e.g. GDPR) does not set specific time limits for data retention, it follows the principle that data should only be kept as long as necessary. Article 5(1)(e) of the GDPR, known as the storage limitation principle, states that even if personal data is collected lawfully, it cannot be retained longer than needed to fulfill the purposes for which it was collected. However, personal data can be kept for extended periods if archived for public interest, scientific, or historical research, provided it is appropriately anonymised or encrypted.
Organisations are responsible for understanding the data they hold, the reasons for holding it, and determining whether the data should be erased or anonymised when it is no longer needed.
How should data retention be applied to email?
Email contains varied amounts and categories of personal data. In most cases, the owner of the inbox has not assessed the confidentiality or the retention requirements.
It is often the case that end users are using email as their document storage. They are not deleting their emails because they feel they need to be able to access the data at some point in the future. This should not be the case as email is not a document or personal data repository, it’s a messaging solution.
Why do you need an email retention policy?
- Cyber attacks – Email inboxes are often compromised due to account harvesting, resulting in access to the contents and the personal data within it. If the inbox is large, then the more data is at risk and the more analysis is required to find out what data has been compromised.
- DSAR’s – The majority of data subject access requests include email as a source of the data. The larger the inbox, the more data has to be provided. Therefore, responding to the request will be more time consuming and likely to involve more cost.
- Legal requirement – Under Article 5, there is a legal requirement to manage retention of personal data. This means that a users inbox is in scope for management. A key aspect of the legal requirement is to only keep data as long as necessary. Therefore, it is difficult to justify an inbox size of 50Gb which may contain data going back many years which is no longer needed.
Email retention best practices
In addition to meeting legal requirements, your policy should align with your business needs. Here are some key factors to consider:
- Appoint a Data Retention Officer (DPO) or provide training. Assign a dedicated officer or offer training to ensure employees comply with the email retention policy and properly manage stored communications.
- Classify Emails by category, organise emails into categories such as personnel, premises, contracts, and product safety, and establish specific retention policies for each. While a single universal policy may seem sufficient, different types of emails require tailored retention approaches.
- Ensure proper retention for hiring processes. Maintain a retention policy for candidate emails and storing information for an appropriate period. Keeping these emails post-hiring can protect against potential claims of discriminatory treatment from unsuccessful applicants.
- Retain key emails for legal protection. While policies may vary, some provisions are standard. Always retain original emails that may hold value as evidence in current or future legal proceedings. These should store securely outside of the users inbox.
In summary:
- Limit Data Retention: Personal data should not be kept longer than necessary.
- Justify Retention Periods: Clearly define and justify how long data is retained based on its purpose.
- Establish a Retention Policy: Set standard retention periods to comply with documentation requirements.
- Regularly Review Data: Periodically assess stored data and erase or anonymise it when no longer needed.
- Respect Data Erasure Rights: Individuals have the right to request data deletion if it is no longer required.
- Exceptions for Specific Uses: Data can be retained longer for public interest archiving, scientific or historical research, or statistical purposes.
- Set a realistic maximum inbox size (e.g. 15Gb): There should be hard limit on the amount of data stored.