The EU's General Data Protection Regulation (GDPR) is set to come into force in May 2018, and there is widespread consternation at many firms around what to do with personal data that resides in email platforms.
At a recent event from V3's sister title Computing 'Getting ready for the GDPR', a member of the audience who identified himself as a lawyer from Brunswick Group asked a panel of experts what to do with such data.
"Lots of people ask for the destruction of everything, and that's very difficult. Have you been able to fix a number of years or months as to how long you hold these emails for?" he asked.
Organisations are concerned, because losing such sensitive data could result in a fine of up to four per cent of global turnover, a huge leap up from previous fines.
Answering the question, Robert Bond, partner at law firm Bristows LLP said that organisations must show that they are trying to do the right thing.
"Both for our lawfirm and our clients, my rule of thumb is here are some different laws which prescribe keeping personal data for fixed periods, but no one size fits all, and the rules very per organisation," said Bond.
"Broadly, for general personal data, there is no guidance as to how long you should keep it, or when to destroy it. On basis that God helps those who help themselves, the more you can show you have a data protection policy, you can say we had a methodolgy, we did an assessment and decided to do it this way."
Bond added that although the GDPR gives individuals the right to request that their personal data be deleted, that right doesn't exist in all cases.
"If someone doesn't want direct mailing any more, you have to keep their details to remember that they don't want to receive those mails! Some US firms say they get rid of the problem by deleting all emails after two weeks. But then how can you prove what was agreed, or who unsubscribed? So you to find a balance because the more [personal data] you have and the longer you keep it, the more at risk you are."
Also speaking on the panel, Bridget Kenyon, head of security at University College London explained her organisation's data retention policy.
"We've got a retention schedule which focuses on subject matter rather than form. Staff personal data gets kept for a certain period of time. And we don't want to keep emails forever after someone leaves, but equally we don't want to read through every email [to ascertain what to keep]. We have policy of limited personal use for email, so it's complicated. The policies are being discussed this week," she added.
Bond gave an example of internet pioneer Vint Cerf, who lost a lot of precious information thanks to an organisation's desctruction policies.
"I did a talk wit Vint Cerf last year, and he said that some of his original work around the creation of [internet pre-cursor] Arpanet and the internet itself, he stored on old backup tapes and placed with a third-party vendor. Unfortunately their policy was to destroy stuff after a period of time, so he now has nothing on a whole part of the history of the internet's creation."
Neil Thacker, deputy CISO at Forcepoint agreed that the email conundrum is complex, stating that there is no right answer, but agreed with Bond's point that organisations must show that they are trying to adopt the right principles.
The panel also discussed the compliance challenge of the GDPR, citing data discovery and consent as the main difficulties.
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance