GDPR: Should you delete all emails after a certain period?

Robert Bond, partner at law firm Bristows LLP, explains how to deal with the tricky issue of having sensitive data mixed through your email databases

The EU's General Data Protection Regulation (GDPR) is set to come into force in May 2018, and there is widespread consternation at many firms around what to do with personal data that resides in email platforms.

At a recent Computing event 'Getting ready for the GDPR', a member of the audience who identified himself as a lawyer from Brunswick Group asked a panel of experts what to do with such data.

"Lots of people ask for the destruction of everything, and that's very difficult. Have you been able to fix a number of years or months as to how long you hold these emails for?" he asked.

Organisations are concerned, because losing such sensitive data could result in a fine of up to four per cent of global turnover, a huge leap up from previous fines.

Answering the question, Robert Bond, partner at law firm Bristows LLP said that organisations must show that they are trying to do the right thing.

"Both for our lawfirm and our clients, my rule of thumb is here are some different laws which prescribe keeping personal data for fixed periods, but no one size fits all, and the rules very per organisation," said Bond.

"Broadly, for general personal data, there is no guidance as to how long you should keep it, or when to destroy it. On basis that God helps those who help themselves, the more you can show you have a data protection policy, you can say we had a methodolgy, we did an assessment and decided to do it this way."

Bond added that although the GDPR gives individuals the right to request that their personal data be deleted, that right doesn't exist in all cases.

"If someone doesn't want direct mailing any more, you have to keep their details to remember that they don't want to receive those mails! Some US firms say they get rid of the problem by deleting all emails after two weeks. But then how can you prove what was agreed, or who unsubscribed? So you to find a balance because the more [personal data] you have and the longer you keep it, the more at risk you are."

Also speaking on the panel, Bridget Kenyon, head of security at University College London explained her organisation's data retention policy.

"We've got a retention schedule which focuses on subject matter rather than form. Staff personal data gets kept for a certain period of time. And we don't want to keep emails forever after someone leaves, but equally we don't want to read through every email [to ascertain what to keep]. We have policy of limited personal use for email, so it's complicated. The policies are being discussed this week," she added.

Earlier, Kenyon told delegates how to squeeze extra security budget from the business, using the GDPR.

Bond gave an example of internet pioneer Vint Cerf, who lost a lot of precious information thanks to an organisation's desctruction policies.

"I did a talk wit Vint Cerf last year, and he said that some of his original work around the creation of [internet pre-cursor] Arpanet and the internet itself, he stored on old backup tapes and placed with a third-party vendor. Unfortunately their policy was to destroy stuff after a period of time, so he now has nothing on a whole part of the history of the internet's creation."

Neil Thacker, deputy CISO at Forcepoint agreed that the email conundrum is complex, stating that there is no right answer, but agreed with Bond's point that organisations must show that they are trying to adopt the right principles.

The panel also discussed the compliance challenge of the GDPR, citing data discovery and consent as the main difficulties.