Banner artwork by Andrii Yalanskyi / Shutterstock.com
Creating and implementing a policy for the retention and deletion of emails (which I’ll refer to here as an email policy for short) can seem like a daunting task. Below are some tips that may help you navigate the process and be more pleased with the result.
1. Litigation counsel is your ally
When implementing an email policy, you’ll want to start with the support of your organization’s stakeholders. Which means you’ll need them to see the value of an email policy.
This may be a tough sell, especially for those who live and die by their inbox. Explaining the benefits of regulatory compliance may sway stakeholders only so far.
In that case, consider a joint call with your litigation counsel. Your litigation counsel sees firsthand how interested plaintiffs are in company emails. By sharing a few war stories and explaining the litigation benefits of timely email deletion, you may find the added persuasion needed for things to move forward.
A call like this is also something litigation counsel may consider doing for free as a value add. Afterall, an email policy would also make his or her job easier.
2. Start by collecting all retention policies
Seek first to understand, then to be understood. Remember this from the Seven Habits of Highly Effective People? Well, it applies to creating an effective email policy too.
After you have stakeholder support, you may be eager to start drafting, but first take the opportunity to collect any retention policies that may be floating around your organization (current or expired). This will help you understand how others in your organization currently view and approach retention, which will in turn better inform your drafting. Here, I’d encourage you to use the word “policy” very broadly. Talk with each department directly and ask what document or source they reference when it comes to retention/destruction issues, because they may not consider that a policy, but effectually it is.
3. Work arm-in-arm with IT
Just as an architect’s design doesn’t come to life without the help of a builder, neither will an email policy “get off the ground” without help from IT. You’ll want to meet with them early in the drafting phase to learn from them what’s possible with your current technology infrastructure, whether tech updates are needed, timelines, costs, and feasibility. If your IT support is outside of your organization, ask them what they may have set up for other companies, and what they’ve seen work, and what they’ve seen fail.
4. Account for paper and digital records
When people think about saving records, they often picture boxes and folders filled with paper. So, you’ll want to make sure your policy accounts for both paper and digital records.
If your organization has an existing policy about paper records, this is a good opportunity to review it for needed updates. If it doesn’t have one, it’s not much work to do this in conjunction with an email policy.
You’ll also want to plan for some training on what counts as a “record” as many within your organization may not consider emails to be records. Referring to paper records here can be helpful. It’s commonly understood that companies don’t save every piece of mail they receive, but they do save some, usually depending on the context and content.
The same goes for emails. Most emails are not records that should be retained, but some are. Here, it can help employees to ask themselves if the contents of the email were given to them on paper instead of in an email, is it the kind of thing they would scan and save (or place in a physical file)? If so, the email probably needs to be kept.
5. Avoid underground archiving
Remember, change can be hard. When it comes to an email policy, those who will be most resistant will likely be long-term employees who see their inbox as a historical record, rather than merely a communication tool.
An email policy that is viewed by employees as too complex or too “slash and burn” when it comes to deleting emails can lead to underground archiving — employees moving emails out of their inbox and saving them in other locations. This in some ways is worse than not having an email policy, because the emails that the company would normally want discarded under an email policy still exist, but now reside in unknown locations or locations the company doesn’t control.
A policy that accounts for some historical lookback, and that is user-friendly will deter underground archiving.
6. Be detailed behind the scenes
While you’ll want the email policy to be user-friendly, behind the scenes it’s helpful to have a detailed understanding of specific record retention laws and regulations.
Consider creating a spreadsheet specifying each type of record that your organization creates or receives. For each record, specify the longest retention duration applicable and the relevant legal citation. While this spreadsheet would not make for a user-friendly policy, it will make it easier for you to answer questions about specific documents when they arise (and they will).
Privacy and labor law counsel may have a similar worksheet already that could act as a starting point for you to build on. This may be another area where you can negotiate with outside counsel to provide resources as a value add. Also consider contacting counsel for industry organizations or related professional groups your company supports. They may happily share what they know.
7. It won’t be perfect, and that’s OK
Email policies are an excellent example of where attorneys can make perfection the enemy of progress. Sometimes, legal is the very group that holds up the implementation of an email policy out of concern that at some point a crucial record will be in advertently destroyed or deleted.
Remember that almost any policy, no matter how simple, will be better for the organization than a “save everything approach,” which is essentially what the company is doing by not having an email policy. This has the opposite effect, retaining records that should be discarded. And bloated data storage means increased risk for data breach. Also remember that the policy isn’t written in stone — it can be adjusted and revised in the future. Which leads me to my next tip.
8. Don’t set it and forget it — Audit it
Should an email deleted as part of your email policy later be requested by an agency or judge, you can assert that that the deletion was routine and done in good faith. But to support that claim you’ll want evidence of effort to comply with the policy as written. This means that once your email policy is implemented, you’ll want to have plans for routine auditing and training. And you’ll also want to document that these audits and trainings occurred.