Why regulated industries must take caution around email management

Julian Jansen, Legal Counsel, MailStore – an OpenText Company


The pandemic has left many organisations feeling a need to be more agile and adaptable to change. At the heart of this is the shift to a hybrid work approach, which includes a wider distributed workforce and refocusing on the employee experience and collaborative opportunities with third parties.

These seismic shifts in the digital business landscape have also driven finance organisations to take more responsibility for their data, e.g. via robust email management strategies.

A key driver of this is that finance is an industry that is now more heavily regulated than ever before. For example, the second version of the pan-European Markets in Financial Instruments Directive (MiFID II) came into force in 2018, requiring EU member states to implement record-keeping obligations for companies operating in the financial sector (e.g. investment firms, credit institutions or data reporting service providers).

As laid down in MiFID II Article 16 (6), an investment firm must arrange for sufficient records to be kept of all services, activities and transactions undertaken by the business to enable the competent authority to fulfil its supervisory tasks and, in particular, to ascertain compliance with all obligations. Therefore, it is evident that finance organisations need to keep a close eye on how they manage and archive electronic communications.


Email archiving vs email data backup in the cloud

The primary objective of email archiving is to ensure that email data remains available in its original form and is retrievable at any given time. Organisations need to analyse which types of emails should be archived for how long. Examples of business-critical information contained in emails are invoices, quotations, support inquiries or service complaints. However, an email management strategy will also have to take into account requirements according to the EU-GDPR and similar data privacy regulations, some of which are described below. Consequently, archiving all emails indefinitely may not be advisable after all.

The capabilities of email archiving are separate from backup solutions, which should be used in tandem to create only temporary copies of the email server’s data on an external storage medium or cloud. A backup system is there for disaster recovery: allowing temporary, backed-up data sets to be copied back from external storage in the event of data loss or system downtime, e.g. due to a hardware failure of a cyberattack.


Key requirements when complying with regulations such as the EU-GDPR 

Business-relevant emails virtually always contain personal data or other sensitive information. Industry-specific regulations and data privacy laws like the EU-GDPR have been a key driver of increased awareness of businesses regarding their email management strategy during the last couple of years. Privacy laws contain provisions to protect people’s fundamental rights and freedoms when their personal data is processed. The general EU-GDPR principles include purpose limitation, data minimisation, storage limitation as well as integrity and confidentiality. The entity determining the purposes and means of the processing, the “controller”, will be held accountable for complying with these principles.

An email archiving solution should, for example, allow emails that have been successfully archived to be automatically deleted when appropriate, thus freeing up storage space and complying with data privacy principles such as data minimisation and purpose limitation according to Art. 5 EU-GDPR.


Data residency, data sovereignty and outsourcing to service providers

Creating an email management strategy also involves evaluating whether emails are stored on a server managed on-premises by a company’s own IT or with an independent SaaS provider or its subcontractors. When it comes to data storage, leveraging cloud technology is a great option as it offers important scalability. But this does not take care of where email data resides and how it is protected and managed.

Evaluating the implementation of a cloud solution, finance businesses will, on the one hand, have to carefully consider sector-specific requirements such as the guidelines by the European Banking Authority (EBA) or the European Insurance and Occupational Pensions Authority (EIOPA) on outsourcing to cloud service providers.

On the other hand, it is imperative to determine where emails are processed and archived, meaning where the data centres are located and from where access is possible. This is relevant according to Art. 44 ff. EU-GDPR transfers of personal data to a third country shall only take place where the level of protection in the EU is not undermined. In the past, businesses could, for example, leverage the so-called Safe Harbor Privacy Principles to ensure such an adequate level of protection. However, Safe Harbor was declared invalid by the European Court of Justice (“ECJ”) in 2015. This was the first “Schrems” decision named after the now well-known Austrian activist Max Schrems. The EU-US Privacy Shield succeeded Safe Harbour, which was declared invalid in 2020 in another ECJ case known as “Schrems II”. As a result, it is now rather challenging to carry out lawful transfers of personal data to third countries.

In addition, when engaging a SaaS provider, a business should consider entering into a Data Processing Addendum (“DPA”). A DPA is an agreement which covers the requirements of Art. 28 of the EU-GDPR. It is required where a third party (“processor”) is engaged to process personal data on behalf of a controller. Among others, the controller has to ensure the processor has implemented technical and organisational measures appropriate to the risk.


Email archiving as part of your business continuity strategy – both inside and outside the business

We recommend all financial organisations implement a sound email governance approach, including an independent email archiving solution, as part of their integral business strategy.

Identifying and managing security and data risks within the organisation can also be challenging. Email archiving can help minimise internal risks, as it empowers security and conformity to regulations specific to the sector and the country or region.

Professional email archiving solutions allow businesses to choose between different strategic archiving approaches, depending on their needs. It’s essential, however, that the right archiving strategy is chosen. If legally compliant email archiving is the prime focus, journal archiving could be the best option. Alternatively, if offloading the email server is the main objective, mailbox archiving in tandem with specific delete rules may be the better bet.

Combining the two approaches is also feasible, allowing financial businesses to deploy email archiving as an indispensable part of their corporate strategy.


Most Popular