On average, people send more than 120 work-related emails each day. While email generally isn't thought of as containing sensitive information, business emails often contain names, phone numbers, email addresses, and other personal information.
This data and other personal data falls under the European Union’s General Data Protection Regulation (GDPR). This international legislation is designed to protect the private data of people living in the EU. Any organization, including charities and nonprofits, that handles the personal information of a European citizen must follow GDPR guidelines, regardless of whether or not that organization is located within the EU. Organizations found to have violated this sweeping regulation could receive fines as much as €20 million or 4 percent of their global revenue, whichever is larger.
The GDPR does not lay out specifics for the handling of emails; however, it does have guidelines that pertain to the handling of personal data, which typically includes business emails. Article 5 of the regulation states that personal information should be processed legally and transparently. The data must be kept accurate and up to date, where necessary.
The European regulation does not lay out a specific timeline for saving business emails. It only says that personal information can be kept for as long as is necessary. The GDPR states that the protection of sensitive data must be done by design and by default. This means organizations must prioritize data protection whenever launching new systems, services, or products.
Remaining Compliant
The simplest approach to making sure that business emails are kept safe and secure is to use an encrypted email compliance archiving system that cannot be accessed without proper authorization. Such a system should have protections against accidental deletion or corruption of data.
Many companies use a cloud-based system. Just a short time ago, putting sensitive data in the cloud would have been unthinkable. However, security and technology have developed to the degree that cloud-based archiving systems are secure and effective. In fact, many companies offer end-to-end encrypted email compliance archiving that is based in the cloud. The GDPR does not state that data must be kept in an encrypted form, but this approach has become the industry standard.
It's important to note that an email archive is not the same as a backup system. While it's true that both are used to store emails, there are key differences that are often related to compliance.
A backup system is meant to be the temporary storage space for quick access to fairly recent emails. Backup systems are commonly used to ensure that data could be recovered in the event of a breach, system failure, or other critical situation. Backup systems are generally not designed for long-term storage or specifically built for maintaining data integrity.
A system for GDPR and email archiving, on the other hand, is designed for long-term and secure storage of information. While the information in an archive system can be searched and retrieved, access tends to be less immediate than with a backup system. An email compliance archiving system is best for GDPR compliance because emails can be stored securely in a way that maintains integrity and prevents unauthorized access, both of which are crucial for maintaining compliance.
While an archiving system can keep emails for long periods of time, the GDPR states that personal information should not be kept when it is no longer meant to be used. Therefore, an email compliance archiving system should be able to delete specific emails as needed. Furthermore, Article 17 of the GDPR states that a European citizen has the right to erase any personal data being held by any organization without unnecessary delay. While there are some exceptions to this regulation, such as the data particularly vital to the public interest, an email archiving system must be able to delete all information of a specific person if necessary.
In addition to being important for GDPR and email archiving, a system is also extremely valuable for situations related to eDiscovery and customer complaints. In these situations, relevant information must be quickly and easily retrieved. Critical data stored in an archive can be used to keep a company out of legal trouble or quickly address a major complaint from an important customer. Likewise, an archiving system should be able to delete unnecessary data, which could be compromised in the event of a data breach.
Finally, an email archive can be used to recover sensitive information in the event of a major disruption.
How MirrorWeb Can Help
A big part of GDPR and email archiving is the regular review and updating of data storage systems. With offices in both the United States and the United Kingdom, we’re well-positioned to advise companies on GDPR compliance and offer them a comprehensive archiving solution that meets all of their compliance needs.
If you would like to know more about how to keep your company compliant, please visit our homepage to set up a consultation.