HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Email Archiving Compliance Solutions

Email is still the number one communication tool for businesses and, as such, a large amount of important data is contained in emails, and in some cases, that information is stored nowhere else. Email archiving compliance solutions help businesses protect their email data and ensure the information is always available, can never be accidentally deleted, and allow organizations to comply with government, state, and industry data retention laws.

Laws with Email Data Retention Provisions

While it was once possible to simply save all email data, including external and internal emails, such an approach is no longer acceptable. Consumer data privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) do not allow data to be kept indefinitely.

The GDPR places restrictions on the processing of personal data, including data in email accounts, and both the GDPR and the CCPA give data subjects the right to inspect the personal data a company holds, to restrict processing of their data, and they have the right to have their personal data erased. Further, new legislation such as the California Privacy Rights Act (CPRA) and Virginia’s Consumer Data Protection Act (CDPA) have implications for data retention. These new privacy regulations require companies to state how long they will retain data and to ensure their data retention policies are enforced.

There are many federal laws in the United States that require records to be kept and maintained, including electronic information. Each law covers different types of data, and the data retention periods can vary dramatically, from 1 year for compliance with the Payment Card Industry Data Security Standard (PCI DSS), to 3 years under the Freedom of Information Act (FOIA), 6 years for certain data under the Health Insurance Portability and Accountability Act (HIPAA), and 7 years for compliance with IRS regulations and the Sarbanes Oxley Act (SOX). Securities and Exchange Commission (SEC) Regulations have a minimum data retention period of 7 years, and in some cases, certain data must be retained indefinitely.

It is also necessary to comply with the Federal Rules of Civil Procedure. On December 1, 2006, amendments were made to the Federal Rules of Civil Procedure which govern litigation in the United States. The amendments addressed the discovery of electronically stored information. If an eDiscovery order is received, electronic data, including electronic data stored in email accounts, must be produced so it can be used as evidence in legal cases and strict time limits are given for producing the data.

Why Email Archiving Compliance Solutions are Required by Businesses

Email archiving compliance solutions help businesses comply with all regulations with data retention requirements. Data retention policies can be applied, and email archiving compliance solutions will enforce the data retention policies and will automate the retention of data, and ensure all relevant emails are retained in a secure, tamper-proof repository.

Without an email archiving compliance solution for managing email data retention, emails could be accidentally deleted or lost, which would risk a fine for noncompliance. If any request or order is received to produce email data, such as an eDiscovery order, or an individual requests a copy of their personal data under the GDPR or CCPA, finding and producing the emails would likely be a very time-consuming and labor-intensive task.

When email data needs to be retained, an email archiving compliance solution indexes the emails, captures the metadata, classifies and tags emails, and applies retention policies, including placing a legal hold on emails. If emails ever need to be recovered, a search can be performed on the archive and all relevant emails and attachments will be found. If individuals accidentally delete an important email from their mailbox, a copy will be preserved in the archive, which can be accessed via a plugin on their mail client. When data retention periods are reached, all data can be automatically purged from the archive.


Businesses that do not archive their emails and use a solution to manage their data retention policies will find it difficult to comply with data privacy laws. Email archiving compliance solutions allow data retention policies to be applied and will automate the retention of all emails and will store them securely, in their original form, in a secure repository. When email data needs to be recovered, the archive can be searched, and emails and attachments recovered in seconds or minutes, saving valuable time and ensuring compliance with all laws with data retention requirements.