Despite the availability of a plethora of new channels such as messaging services and social intranets, the tried-and-tested email is still the No. 1 means of communication in the business context. Business-relevant emails often contain sensitive information and the issue of compliance quickly raises its head. But what does compliance exactly mean in the context of business email communication?
Compliance is essentially about adhering to rules, be they laws, administrative provisions, decrees — even internal policies implemented by a company.
The consequences of not complying range from internal company sanctions such as verbal cautions, written warnings, and dismissal, to third-party civil liability proceedings (e.g. claims for damages) and state-led criminal prosecutions (e.g. fines or imprisonment). A loss of reputation can have serious consequences, too.
In the context of emails, the term compliance covers two areas:
Compliance, regulatory compliance, and email compliance are often used synonymously and are subsumed under the standard term “compliance” in the following. So what is the role played by compliance in the context of business emails?
In the following, we shed light on four categories of provisions/policies that can be important for business emails and give a detailed explanation of each by means of a practical example:
Case example HIPAA: A medical doctor in the U.S. wants to send X-ray images and patient data collected in his practice to a patient by email. What are the legalities the doctor needs to be aware of? Among other things, HIPAA requires that security measures be implemented to ensure that personal information on the patient’s health is adequately protected. In this case, archiving emails or creating backups of emails containing health information can, for example, be a sensible option. The aim of both measures is to prevent unauthorized accessing of the patient’s electronic health record (EHR) and prevent it from being deleted — whether deliberately or by accident. Encryption of the data during storage and transfer can also help.
Explanation: In the first instance, European Union directives address the national legislator, who is then obliged to transpose the relevant provisions into national law.
In contrast, a regulation of the European Union is effective directly in the member states, i.e. it does not require an act of transposition. The General Data Protection Regulation (GDPR) is one such EU regulation. With regard to business emails, companies must ensure that the following four rights of data subjects are met, as these emails can contain personal data:
However, care must be exercised here: These four rights can bring companies into conflict with other laws and regulations. For example, Germany’s tax and commercial laws (the AO and the HGB) stipulate that an email archive must be complete, yet according to the EU laws on data privacy (GDPR) it might be necessary to erase personal data from an archive. The use of private emails in the workplace, emails from the works council or the company medical doctor, or data on candidates can also be a problem.
Case example; GDPR: An EU citizen and customer of a major online retailer requests that the company delete all of his or her personal data. The search function of an email archiving solution can help the retailer to quickly locate and then delete emails containing personal data of the data subject. But beware! Due to the potential for breaching other laws, the issue of whether to actually delete the data in question should be decided on a case-by-case basis.
Explanation: These rules and regulations are introduced voluntarily by a company; although they are binding upon staff members, they have no material effect outside the firm. As these policies are specific to individual companies, only a few examples are listed below:
Case example / usage policies: A company decides to prohibit the use of the corporate email account for private purposes. Company staff have been asked to observe the policy strictly and send personal emails only via their private mailbox.
Explanation: Data privacy features in each of the three above-mentioned categories: There are international, national, and industry-specific data privacy laws, in addition to internal company policies. Data privacy is concerned with protecting “informational self-determination,” a concept first introduced in the context of a German constitutional ruling. This right addresses the ability of individuals to protect their private lives by preventing the unauthorized collection, storage and sharing of personal details by companies, institutions, etc. Like the EU GDPR, the CCPA contains provisions to protect natural persons when their personal data is processed. Unlike the GDPR, the CCPA could also extend to data on households and devices. The CCPA defines information as any commercial information relating to a consumer’s buying history and habits, and activities conducted on the Internet or other electronic networks as documented by browser histories and interactions with apps and websites. The CCPA thus targets personal data, i.e. all the preferences, behaviors and attributes of a consumer that go towards building a personal profile. The core elements of the CCPA are:
Case example; consumer’s right to access personal data under the CCPA: While submitting private orders, registering for newsletters and visiting websites, a Californian customer of a major company leaves behind a trail of personal data. The customer now asks the company to disclose exactly what data it has been collecting. The company is obliged to inform the customer about the categories of information and individual items of data collected. It must provide this information without delay, free of charge (by post or email), and in a format that is easy to understand. This includes all personal information, whether received and collected actively or passively. Important: the company must disclose the purpose of processing the data before or while the data is being collected.
How can a company comply with the above-mentioned provisions, laws, and policies?
The above requirements cannot be met simply by backing up emails. A professional email archiving solution such as MailStore Server can help a company comply with and implement requirements governing emails. MailStore Server offers a series of special compliance features. These features should form part of a comprehensive compliance concept of which the archiving of business emails is an integral component. In addition, an email archiving solution can be helpful in certain eDiscovery scenarios, for example where an auditor is given permission to read the archive so that he or she can browse through the archived mailboxes.
However, every company should be aware that deploying a software solution is not enough on its own to comply with all requirements. In particular, internal processes such as the handling of emails need to be adapted. A sound email governance strategy is definitely to be recommended and an email archiving solution can become a mainstay of such a policy.
Do you want to know more about the potential benefits email archiving offers for a business? What is, for example, the difference from a backup? Then have a look at our blog post.
Sponsored by MailStore Software
Exchange coexistence has been around for a long time. This can be having Exchange 2010…
If you want to check VM sizes available to any given region, Azure Portal is…
If you have open network shares on your network, you are opening the door to…
A spear-phishing email has resulted in a U.S. gas pipeline ransomware attack. Making the attack…
To really lower your Azure costs, you need actionable information. Get info on flexibility groups…
Data stolen from breaches often live on forever, as appears to be the case with…