Companies need to store emails and documents for at least six years in a central repository, before they consider deleting or destroying the information, according to Pinsent Masons lawyers.
"In terms of retaining documents and having a policy which complies with the requirements of limitation periods, six years is the typical period for contract claims, but for an IT project, the project itself might take three, four, five or six years," said Ian Birdsey, a senior associate at Pinsent Masons.
"Therefore it is preferable, particularly for IT companies, to be looking at implementing a policy that begins six years after the completion of the project or from a point at which it is a bit clearer that no claims have been made."
Complicating matters, in cross-border deals or business processes, data retention requirements may vary widely. This needs to be taken into consideration by the organisation.
And, on top of that, adds Birdsey, the law hasn't even caught up with such issues as bring your own device or the very portability of even sensitive data – via email, mobile phones or memory sticks. As a result, Birdsey recommends a policy that might be regarded as draconian: adopting an email management policy that prevents staff from storing information on non-corporate devices.
However, according to managed email security services provider Mimecast, fewer than one-third of companies it surveyed stored archived emails for "at least three years", and just one-quarter have an email retention policy that complies with industry regulations.
As a result, concludes Mimecast, it would take the average British business some 12 working days to identify all emails relating to a particular issue – with one-sixth believing that such an e-discovery request might take a month or more.