5 min read

The Essential Guide to Email Retention Policy

Email is now fast becoming the go-to for businesses in their bid to expand audiences and their commercial enterprise. With the total number of emails being sent per day reaching more than 281 billion, email is now the third most influential source of information for B2B audiences, behind personal recommendations and industry-specific thought leaders. It’s easy to see why businesses are becoming more reliant on email and other technologies for their day to day activities.

Having an email retention policy in place allows you to retain important customer information for the legally defined amount of time. Whenever you’re looking at businesses to store your emails using email archiving software, you need to make sure their policy is comprehensive and follows industry regulations and email retention law.

What is an email retention policy?

An email retention policy is defined as a policy that states how long an email should remain in your email archiving server before being deleted automatically. This isn’t something that is just decided, though, as the length of time is determined and influenced by laws and regulations within each country and sector.

Why do you need an email retention policy?

Businesses should have an email retention policy. There are a number of reasons for this, aside from legislative necessity:

  • Data protection – Emails can contain sensitive business information, and you’ll want to ensure that there is a policy in place to ensure that this data is protected.
  • Cyber threats – Having a retention policy can help in the process of securing your business’ data against various cyber threats.
  • Regulations – If your business is regulated by government or industry standards, email retention policies can vary on a local, national, and industry level.
  • Legal concerns – Retained emails can be a strong factor in any litigation your business may be involved in. Having a proper policy in place – as well as the ability to retrieve emails – will help to protect against future litigation issues or fines.

Email retention regulations

All business sectors need to abide by email retention policies. However, it will be governed under different regulatory bodies depending upon the industry. For example, in the USA, different regulations apply to different industries, and these regulations stipulate different retention periods. You should always involve legal, compliance, IT and management teams to determine the applicable retention periods – these can even vary within organisations.

Email regulations in the UK

In terms of email retention law UK, all of the information required by businesses to create their email retention policies should be taken from the Public Records Act 1958 (PRA 1958), the Freedom of Information Act 2000 (FOIA 2000), the Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (GDPR), with GDPR email regulation of particular relevance.

These records and regulations don’t necessarily mention an exact time period in which the emails should be retained, but rather outline suggestions for companies to make their own decisions. For example, the Data Protection Act’s fifth principle states that “personal data processed for any of the law enforcement purposes must be kept for no longer than is necessary for the purpose for which it is processed.” While this doesn’t specify a length of time that data should be held for, it does help businesses take a look at their own needs and make a judgement call.

Email regulation in the US

US email retention regulations vary drastically from those of the UK, with strict rules in place depending on state laws and industry. Most vary between three and seven years, but you will need to check with the correct governing bodies as to the exact length and circumstance.

Most federal bodies also recommend that US businesses consult their legal counsel on specific laws within that state and profession. It is important to note that not all legal counsels are well versed in email retention policy, and so getting them to draft one for you, or consult on yours without the proper knowledge, can cause more problems in the long run.

Below is a clear breakdown of the industries, governing bodies and recommended retention lengths that businesses in the US should adhere to:

Credit card and related processing
PCI DSS1 year
TelecommunicationsFCC2 years
DOD ContractorsDOD 5015.23 years
BankingFDIC5 years
Federal, state and local government
FOIA3 years
Investment banking, brokers,
dealers and insurance agents
SEC7 years +
All public companiesSOX7 years
Investment advisorsSEC7 years +

Email retention best practices

Aside from making sure that you meet the legal requirements, you need to ensure that your policy matches your business requirements. Here are a few specific key considerations to take into account:

  • Split your emails into categories, e.g. personnel, premises, contracts and product safety, and clearly define different email retention policies for each category. While you may believe in the need for one universal email retention policy, you will need seperate policies to cater for emails with different purposes.
  • Consider hiring a Data Retention Officer or offer training for this role. They’ll be in charge of making sure that employees are adhering to the email retention policy.
  • While most email retention policies can vary, certain types of provision are standard. For example, you should always look to retain original emails likely to have value in current or future legal proceedings as evidence.
  • If your company is hiring, you need to have an email retention policy in place to ensure that you store the information given by candidates. It’s also worth keeping the emails for a small period of time after hiring a candidate, in case an unsuccessful candidate accuses you of discriminatory treatment.

Aside from the best practices to take into consideration, there are also things that you should aim to avoid. There are simple changes that can be made in order to avoid legal repercussions:

  • Make sure you’re consistent in enforcing your email retention policy across all departments and email types. If you’re seen as showing bias towards one area, it could lead to some serious legal allegations as well as affecting other important business areas including insurance cover.
  • Ensure that you don’t actively try to break the terms of your email retention policy in the eyes of the different relevant laws, including the Data Protection Act, Human Rights Act and the Regulation of Investigatory Powers Act. You may need to seek legal help to make sure that your policies don’t counteract each other.
  • If you are unsure whether you can delete something, stay on the side of caution and keep the original copies of emails. You may get in trouble for overextending your email retention policy guidelines, but having evidence when needed would outweigh this break of policy.

Cyroserver’s email compliance software allows you to archive all of your emails securely, and comply with your sector’s email retention policies. You can also show the audit trail of your compliance for legal situations. If you’d like to learn more, read more on our email compliance software, or get in touch with Cryoserver today to find the perfect email archiving system for your business in order to comply with email retention law in the UK and worldwide.


Book a demo of Cryoserver with us today.

  • Free 14-day trial
  • Easy Setup & Migration
  • Excellent Support
Book Demo Contact