On 25 May, the GDPR took effect in the E.U. In light of this new legislation, customers will find one feature of Version 11 of our software rather interesting: retention policies that can be individually defined. Users of MailStore Server and the MailStore SPE are now able to configure retention policies in compliance with the provisions of the GDPR, in particular with Article 17 of the GDPR, which is also called the right to erasure (‘right to be forgotten’) regarding personal data. In this manner, administrators can define individual retention policies, enabling them to maintain complete control of the periods for which various types of email are archived. They can define whether emails are automatically deleted from the archive, and when, thereby complying with the different retention periods that are mandated by legislation. In this context, it is important that the archiving date is used as the guiding factor in the event of automatic deletion, simply because it is easy to manipulate the send or receipt date of an email. Any global retention policy from legacy versions that existed before this upgrade will be automatically adopted.
Defining retention policies
The procedure for administrators to define new retention policies is rather straightforward in MailStore. They can select ‘Compliance’ –> ‘Compliance General’ in the menu. Then under ‘Retention Polices’ they can define which email is stored in the archive and for how long, protecting it from being deleted without permission.
Administrators should also consider that it may not be sufficient to comply with regulations in specific cases/countries to set one single global retention policy for all email. For example, in Germany, these regulations affect job applications, which usually must be permanently deleted after a retention period of around 90 days. MailStore 11 now offers more flexibility for the email archive in terms of retention periods.
However, a global retention period that applies to all email should be used during initial setup. As a minimum, administrators should select the maximum retention period mandated by law in the case of the specific country. These settings need to be confirmed for each individual retention policy that is set up and then activated separately in order to protect the administrator. This makes it possible to add any number of retention policies for email that comply with individually definable criteria based on the archive search. For example, administrators can establish different periods for ‘out-of-office notifications’ or ‘applications.’
As many retention policies as necessary
All policies that have been created are shown in a list based on the priority. What does this mean? Based on the attributes stored in the policies, a search is performed on the email archive at a specific point in time, defined by a ‘Job’.
The search identifies emails that have exceeded the defined retention period. They will then be subsequently deleted. By default, the search starts at 3:30 a.m. and detects the email associated with the highest priority policy according to the list.
In this regard, a global retention policy that, for example, makes sure that no email is deleted before a specific time, must always be situated under other retention policies that enable certain types of email, such as job applications, to be deleted before this period has elapsed.
It is also possible to individually modify the prioritization. The search of the archive is performed at night, as automatic searches can take a long time, depending on the archive’s size, thus negatively affecting the workload.
A spot-check of the retention policies should be performed after the administrator has defined the necessary retention policies and before they are confirmed and become binding. To do so, the administrator uses his admin password to access the email archive by temporarily activating the email preview. When finished checking, the email preview should be deactivated again. By the way, this step is logged, which is why we recommend entering a reason for accessing the archive (‘review of retention policies,’ for example) in the provided field. As part of a search for emails which are affected by retention policy (‘out-of-office notice,’ for example) in the archive, the admin can then after opening an email see which retention policy on the Mail applies and how long the corresponding email is kept by using the button ‘Retention Details’ in the toolbar.
If the administrator attempts to delete an archived email that is protected by a current retention policy, deletion is rejected and the MailStore software displays a corresponding message.
MailStore Server and the MailStore SPE: Differences
The basic procedures described here regarding retention policies apply to both MailStore Server and the MailStore SPE. However, with regard to the MailStore SPE, only administrators of end customers are permitted to use the retention policies. The service provider’s administrator (‘$archiveadmin’) cannot access the retention policies.
You can find a support video explaining how to set up retention policies here:
You can find detailed instructions on setting up and using retention policies here.
Please read the update notices before updating.
Feel free to contact our support team at firstname.lastname@example.org if you have any further questions.
Would you like to test MailStore Server 11? Download the free 30-day trial version today.