Emails remain arguably the most valuable information asset for businesses of all size and segments. Amid rapid digitisation and the transition to remote working enforced by the pandemic, email volumes have grown rapidly – with Statista predicting that over 376.4 billion daily emails are set to be sent by 2025 – up from 306.4 billion in 2020.
This increasing flood of information and inbox overload has meant that email archiving – the act of preserving and making searchable all email to/from an individual – has become an important consideration for organisations. In fact, the IMARC states that the global enterprise information archiving market – which email plays a large part in – is worth $6.51 billion as of 2021 and is expected to grow to reach $14.91 billion by 2027, an increase of over 14% in six years.
- Email Management in the Legal Sector
- Common Policies and Regulations
- Defining Retention and Compliance
Email Management in the Legal Sector
Although emails are the fundamental medium of communication and authentic proof of business for most, many organisations – including law professionals – often resort to conventional mail servers as their default repository system. However, with business-relevant emails virtually always containing personal data and often even sensitive information, the issue of data privacy compliance quickly raises its head and is often perceived as a potential conflict with retention obligations. Simply storing emails in Outlook or Gmail often isn’t enough to adhere to both data privacy regulations and rules imposed particularly on highly regulated industries. In addition, many countries mandate enterprises to store electronic data for tax audit and other investigation purposes – amplifying the need for independent email archiving and email data governance strategy. In addition, email archiving also helps to defend a company’s legal rights in the future, and retains proof for important agreements, statements and contracts.
Because regulatory standards implemented by various governments across the world on information and processing of personal data vary, the topic of email archiving is now central to many businesses to ensure lawful processing of personal data compliant to various laws across governing bodies.
For legal professionals, whether they are advocating on behalf of their clients or are helping to design policies for organisations, it is critical to understand a few underlining principals that define legitimate email archiving by law.
These rules can be complex and may vary by client, with data retention policies often governed by specific industry requirements – especially in the healthcare or financial service sectors. Companies also need to factor in the data privacy laws while drawing a strategy to comply with retention requirements. In this piece, we’ll share some basic knowledge on regulations to equip legal professionals with initial information they need to advocate or draft their client’s email archiving policies.
Common Policies and Regulations
Legal professionals should be aware of the factors mandated by EU’s data privacy policies and regulations in particular based on the general principles relating to processing of personal data according to Article 5 of the GDPR and the rights of the data subjects such as the right to erasure as outlined in Article 17 of the GDPR when designing email retention policies for businesses. Although the EU GDPR no longer applies in the UK due to Brexit, the UK GDPR is very similar.
According to Article 17, individuals whom companies hold personal data on have the right to request erasure under certain circumstances and businesses are obliged to comply. Automatic deletion rules can help companies comply with some of these principles but should consider different data retention periods that are mandated by legislation. Email archiving solutions can help identify relevant emails using the search functionality and provide an audit trail or log as a record of documentation of the lawful deletion if needed.
An email archiving solution can also help comply with Article 5 of the GDPR, which outlines the general principles relating to processing of personal data using features like automatic deletion rules, encryption, access limitation and audit logs. These principles include ensuring integrity and confidentiality, accountability, purpose limitation and data minimisation – for example by ensuring automatic deletion after the initial purpose of the email is achieved.
However, it is important to consider that for large organisations, it may not be sufficient to blanket apply data regulations globally or across departments which are not set for specific cases or countries. For example, in Germany, there are specific requirements around emails and other documents relating to job applications, which must be permanently deleted after a maximum retention period of around three to six months.
Ultimately, the role of the GDPR is to establish rights for EU residents to decide how their personal data is collected and retained or otherwise processed, and ensure it is used legitimately and securely for the purpose it was collected for.
While some organisations fully abide by this law, and legal processes are in place to protect and ensure privacy of data, many businesses lack the mechanisms to archive and ensure tamper-proof audit for emails passing through their IT systems. This is particularly concerning considering customers of EU and UK businesses may be entitled to exercise their data subject rights, including to request access to emails without undue delay and within one month of making the initial request.
Organisations can receive heavy fines for non-compliance with the GDPR – meaning all emails need to be safely and appropriately stored, and easily accessible in original formats if required. Fines can amount up to EUR 20M or up to 4 % of the annual global turnover (whichever is higher). In fact, as of this February the overall sum of GDPR fines is now close to 1.6 billion Euros, with the highest ever fine being 746million Euros – imposed on Amazon for non-compliance with general data privacy principles.
It is evident, therefore, that all legal firms need to keep a close eye on how they manage and archive the electronic communications medium for both themselves and their clients to ensure they adhere to all the latest data protection regulations.
Defining Retention and Compliance
Given email retention requirement may vary by industry, country and probably even by company, it is generally important for lawyers and compliance officers to ensure emails are stored in archives abiding by the applicable legal and business requirements and at the same time ensure they are protected from deletion or unauthorised access – whether by malicious actors or employee errors or other causes.
Law firms need to factor in rules that overlap with data retention policies for specific industries. For example, there might be regulatory retention obligations which differ for healthcare, finance, insurance and investment or pharmaceutical companies. In addition, law firms themselves might be mandated to keep records on their clients and cases for a certain amount of time according to bar association rules or other regulations.
This can be a huge challenge when it comes to data storage and management systems. Considering that the data needs to be secured in its truest form and business continuity ensured in case of cyber-attacks, data loss and data privacy – email archiving solutions are crucial for legal professionals.
Legal businesses need these solutions to comply with the appropriate retention periods depending on country and industry guidelines, whilst at the same time remaining compliant and avoiding conflict with data privacy and security regulations. Only then will they be able to monitor information flow, ensure the availability of mission-critical data and adopt a reliable information management strategy that is scalable with time.
This article first appeared in https://www.legal-brief.co.uk/features-analysis/email-archiving-and-the-legal-sector/.