What is Email Archiving Compliance?

Email archiving compliance is the practice of using an email archiving solution for retaining email data to comply with government, state, local, and industry regulations. There are many laws that place restrictions on the length of time certain types of data can be retained, and others that require certain data to be retained for a minimum period of time.

Legal Data Retention Requirements

The Federal Rules of Civil Procedure in the United States cover physical and electronic records and require them to be produced to support legal cases. The Payment Card Industry Data Security Standard (PCI DSS) has a requirement to retain certain data for 12 months, the Health Insurance Portability and Accountability Act (HIPAA) requires certain documentation to be retained for a minimum of 6 years, and the Sarbanes Oxley Act (SOX) and IRS regulations require records to be kept for 7 years.

It is a legal requirement to comply with these laws. . In the event of an audit or HIPAA compliance investigation, orders will be issued to produce certain types of data within a certain period of time. Any business that fails to capture and securely store their emails exceeds the maximum time for storing certain types of data, or cannot produce requested data within the allocated time will be at risk of a substantial financial penalty and could potentially face criminal charges

Morgan Stanley was issued with a $15 million civil monetary penalty in 2006 by the Securities and Exchange Commission for delays in handing over emails and deleting certain email communications. The company had failed to provide tens of thousands of emails that were sought in investigations spanning several years.

Consumer Data Privacy Laws

The General Data Protection Regulation (GDPR) took effect on May 25, 2018, and requires all entities that control and process the personal data of EU citizens to ensure that personal data are protected and are only retained for as long as there is a legal basis for processing the data. The GDPR gave individuals rights over their personal data, including the right to inspect their personal data, correct errors, and request the information be permanently deleted. Several other consumer privacy laws have since been introduced that have similar provisions, such as the California Consumer Privacy Act (CCPA) and U.S. states are developing similar laws.

If a request is received under these laws from a consumer wishing to inspect their personal data or have that information deleted, all information must be produced, including information in emails. The failure to produce or delete data in the stipulated time frame deleted can result in a significant fine – up to €20 million or 4% of global annual turnover in the case of the GDPR.

Email Archiving Compliance

Email is the primary method of communication and collaboration for companies. On average, employee receive over 100 emails a day and send around 40. Ensuring business-critical emails are not accidentally deleted and emails are retained to comply with data retention laws can be a challenge.

The management of emails can be an incredibly time-consuming process and complying with data retention laws requires effort from many different individuals. Email archiving compliance solutions are offered by many companies to ease the burden of complying with data retention and consumer privacy laws. These software solutions allow email retention policies to be applied to automate the retention of emails. When an email that needs to be retained is sent or received, it will be automatically sent to a secure repository for long-term storage.

Emails are indexed, tagged, and metadata and attachments are preserved. The emails are stored in their original form and the email archive is tamper-proof. When emails need to be found, a search can be performed on the archive and all relevant emails will be produced in seconds or minutes. Without an email archiving compliance solution, finding and producing emails for audits and complying with legal requests for email data would be a very time-consuming process. If emails need to be found in multiple mailboxes, spanning several years, it may not even be possible to produce the emails without an email archiving compliance solution. If your business is required to comply with the GDPR or CCPA and you do not have an email archiving compliance solution, managing consumers’ requests to access and delete their email data could be a full-time job.


All businesses have legal requirements to retain certain data, including emails. Complying with data retention and consumer privacy laws can be a major challenge, but compliance is greatly simplified if you use an email archiving compliance solution to enforce data retention policies and automate the archiving of emails and deletion of emails when they are no longer required.