Data protection
Most countries impose data protection laws to protect the citizen. In the USA there are a plethora of state and federal laws and in Europe there is GDPR. These laws can create a significant risk for businesses as a data request can generate a huge amount of work. For example an ex-employee might ask for data about themselves to be removed from your systems, or they might invoke their 'data portability' rights and require you to provide them with copies of all personal data that you hold about them.
You may have addressed these scenarios with Human Resources related data such as resumes (CV's), staff appraisals, etc., and be able to find it quickly, but what about all emails?
You may have a policy that staff should not use the company email system for personal matters but until case law in your region gives a clear direction on this, you may be exposed if a past employee asks for copies of personal emails.
One way to protect your business from such claims is to ensure that the data they might ask for does not exist.
Example Policy
Staff must file all business related email to the relevant locations, any messages remaining in your email account after 'n' days will be automatically deleted. Except where there is a business reason to keep the account active for a limited period, the email accounts of staff leaving the business will be automatically deleted within 'n' days of their departure.
A policy like this can save you a lot of trouble because:
- It creates a clear business case for staff to file their emails which has a plethora of business efficiency benefits
- It reduces your storage and back-up costs because the junk is no-longer retained
- If someone makes a claim for copies of all personal emails, you can legitimately respond that your policy is to delete personal content and only retain the business messages, which you are legally entitled to do, and you therefore have nothing for them