First, the mistake most companies make when creating an email retention policy is not involving all areas of the company in the construction/review process. An email retention policy is not just a legal document, it will effect employee productivity company-wide. So, the first step is to create a policy group with representatives from all major areas of the company. It is important that you understand how employees use the email system. Do they create their own personal archives? How often do they reference old emails? Understanding these things will ensure you don't put in place procedures that will adversely affect employee productivity.
Second, you need to understand what regulatory or legal factors you are subject to. Is your company in a heavily regulated industry that has existing data retention requirements? For example, banks and other financial institutions have data retention requirements under the Gramm-Leach-Bliley Act, brokers and traders have data retention requirements under the SEC and NASD regulations, hospitals and other medical institutions need to worry about regulations under HIPAA and all publicly traded companies in the U.S. have data retention requirements under Sarbanes-Oxley. These regulations all have retention requirements which include email. Legal considerations mainly revolve around your company's current legal status, i.e., are you in the midst of a court case which could include discovery of company email. It is always best to have an email retention policy in place before legal proceedings.
Third, you need to decide how you will enforce the email retention policy. Are you planning to put an automated email archiving system in place, or will you rely on manual procedures? If you will rely on manual procedures, you will need to include step-by-step email retention instructions that employees can follow and employee training to ensure the policy enforcement. In most cases, an automated email archiving system will ensure policy enforcement and raise employee productivity.
Also, you must communicate the new policy to the employees. Employee communication and training can lower your compliance and legal liability.
Lastly, a good email retention policy should have the following topics:
- Effective date
- Last change date and changes made
- Person or department responsible for the policy
- Purpose of the policy
- Policy statement: This can include a company philosophy statement about the business/legal/regulatory reasons for records retention
- Duplicate copies/convenience copies
- Consequences if the policy is not followed
Do you know…
This was first published in June 2006