Companies should store emails and documents for at least six years in a central database, before they even consider deleting or destroying them, according to a leading data protection lawyer.
The advice could catch many companies with their trousers down, after research from email security services provider Mimecast claimed fewer than one-third of firms stored archived emails for “at least three years”.
But Ian Birdsey, a senior associate at Pinsent Masons, said: “In terms of retaining documents and having a policy which complies with the requirements of limitation periods, six years is the typical period for contract claims, but for a data project, the project itself might take three, four, five or six years.
“Therefore it is preferable, particularly for data companies, to be looking at implementing a policy that begins six years after the completion of the project or from a point at which it is a bit clearer that no claims have been made.”
Complicating matters, in cross-border deals or business processes, data retention requirements may vary widely. This needs to be taken into consideration by the organisation.
In addition, Birdsey claimed the law hasn’t caught up with such issues as bringing your own device or the very portability of even sensitive data – via email, mobile phones or memory sticks.
As a result, he recommends firms should adopt an email management policy that prevents staff from storing information on non-corporate devices.
