Despite the availability of a plethora of new channels such as messaging services and social intranets, the tried-and-tested email is still the No. 1 means of communication in the business context. Business-relevant emails often contain sensitive information and the issue of compliance quickly raises its head. But what does compliance exactly mean in the context of business email communication?
Compliance is essentially about adhering to rules, be they laws, administrative provisions, decrees — even internal policies implemented by a company.
The consequences of not complying range from internal company sanctions such as verbal cautions, written warnings, and dismissal, to third-party civil liability proceedings (e.g. claims for damages) and state-led criminal prosecutions (e.g. fines or imprisonment). A loss of reputation can have serious consequences, too.
In the context of emails, the term compliance covers two areas:
- Legal compliance means that a company’s management must ensure that all laws, rules, and regulations applicable to the company and its business activities are observed. Besides local provisions, a company must often also adhere to rules and regulations affecting a company’s cross-border activities.
- A compliance management system incorporates all the measures introduced to ensure that compliance provisions are adhered to, including regular training sessions for competent staff members, and consistent monitoring and documentation of practices.
Compliance, regulatory compliance, and email compliance
Compliance, regulatory compliance, and email compliance are often used synonymously and are subsumed under the standard term “compliance” in the following. So what is the role played by compliance in the context of business emails?
In the following, we shed light on four categories of provisions/policies that can be important for business emails and give a detailed explanation of each by means of a practical example:
- Compliance with national and, where applicable, industry-specific provisions
Explanation: National and industry-specific provisions are many and varied. They include provisions from the healthcare sector, the environmental sector, the food industry, the insurance and financial sectors, the judicial system, and from tax legislation. Here are a couple of examples of relevance to email management:
- HIPAA (Health Insurance Portability and Accountability Act) for the U.S. health-care industry and FINRA (Financial Industry Regulatory Authority) for the U.S. financial sector
- SOX (Sarbanes-Oxley Act) for companies listed in the U.S.
- AO (Tax Code) and HGB (Commercial Code) in Germany
Case example HIPAA: A medical doctor in the U.S. wants to send X-ray images and patient data collected in his practice to a patient by email. What are the legalities the doctor needs to be aware of? Among other things, HIPAA requires that security measures be implemented to ensure that personal information on the patient’s health is adequately protected. In this case, archiving emails or creating backups of emails containing health information can, for example, be a sensible option. The aim of both measures is to prevent unauthorized accessing of the patient’s electronic health record (EHR) and prevent it from being deleted — whether deliberately or by accident. Encryption of the data during storage and transfer can also help.
- Compliance with international provisions (e.g. EU directives and regulations such as the GDPR)
Explanation: In the first instance, European Union directives address the national legislator, who is then obliged to transpose the relevant provisions into national law.
In contrast, a regulation of the European Union is effective directly in the member states, i.e. it does not require an act of transposition. The General Data Protection Regulation (GDPR) is one such EU regulation. With regard to business emails, companies must ensure that the following four rights of data subjects are met, as these emails can contain personal data:
- The right of access (Article 15 GDPR)
- The right to object (Article 21 GDPR)
- The right to erasure (Article 17 GDPR)
- The right to data portability (Article 20 GDPR)
However, care must be exercised here: These four rights can bring companies into conflict with other laws and regulations. For example, Germany’s tax and commercial laws (the AO and the HGB) stipulate that an email archive must be complete, yet according to the EU laws on data privacy (GDPR) it might be necessary to erase personal data from an archive. The use of private emails in the workplace, emails from the works council or the company medical doctor, or data on candidates can also be a problem.
Case example; GDPR: An EU citizen and customer of a major online retailer requests that the company delete all of his or her personal data. The search function of an email archiving solution can help the retailer to quickly locate and then delete emails containing personal data of the data subject. But beware! Due to the potential for breaching other laws, the issue of whether to actually delete the data in question should be decided on a case-by-case basis.
- Compliance with internal company policies
Explanation: These rules and regulations are introduced voluntarily by a company; although they are binding upon staff members, they have no material effect outside the firm. As these policies are specific to individual companies, only a few examples are listed below:
- Email retention policies
- Email mailbox quotas
- Email mailbox permissions
- Email usage policies (e.g. private usage of corporate email accounts not permitted)
Case example / usage policies: A company decides to prohibit the use of the corporate email account for private purposes. Company staff have been asked to observe the policy strictly and send personal emails only via their private mailbox.
- Compliance with laws on data privacy, e.g. EU GDPR or CCPA (California Consumer Privacy Act)
Explanation: Data privacy features in each of the three above-mentioned categories: There are international, national, and industry-specific data privacy laws, in addition to internal company policies. Data privacy is concerned with protecting “informational self-determination,” a concept first introduced in the context of a German constitutional ruling. This right addresses the ability of individuals to protect their private lives by preventing the unauthorized collection, storage and sharing of personal details by companies, institutions, etc. Like the EU GDPR, the CCPA contains provisions to protect natural persons when their personal data is processed. Unlike the GDPR, the CCPA could also extend to data on households and devices. The CCPA defines information as any commercial information relating to a consumer’s buying history and habits, and activities conducted on the Internet or other electronic networks as documented by browser histories and interactions with apps and websites. The CCPA thus targets personal data, i.e. all the preferences, behaviors and attributes of a consumer that go towards building a personal profile. The core elements of the CCPA are:
- Right to deletion
- Right to access personal data held by a company
- Right to data portability
- Right to opt-out of the sale of personal information
- Right to nondiscrimination
Case example; consumer’s right to access personal data under the CCPA: While submitting private orders, registering for newsletters and visiting websites, a Californian customer of a major company leaves behind a trail of personal data. The customer now asks the company to disclose exactly what data it has been collecting. The company is obliged to inform the customer about the categories of information and individual items of data collected. It must provide this information without delay, free of charge (by post or email), and in a format that is easy to understand. This includes all personal information, whether received and collected actively or passively. Important: the company must disclose the purpose of processing the data before or while the data is being collected.
What role does email archiving play?
How can a company comply with the above-mentioned provisions, laws, and policies?
The above requirements cannot be met simply by backing up emails. A professional email archiving solution such as MailStore Server can help a company comply with and implement requirements governing emails. MailStore Server offers a series of special compliance features. These features should form part of a comprehensive compliance concept of which the archiving of business emails is an integral component. In addition, an email archiving solution can be helpful in certain eDiscovery scenarios, for example where an auditor is given permission to read the archive so that he or she can browse through the archived mailboxes.
However, every company should be aware that deploying a software solution is not enough on its own to comply with all requirements. In particular, internal processes such as the handling of emails need to be adapted. A sound email governance strategy is definitely to be recommended and an email archiving solution can become a mainstay of such a policy.
Do you want to know more about the potential benefits email archiving offers for a business? What is, for example, the difference from a backup? Then have a look at our blog post.