Email Records Retention Policy Template for England and Wales

Generate a bespoke document

What is a Email Records Retention Policy?

The Email Records Retention Policy is essential for organizations operating under English and Welsh law to manage their electronic communications effectively and legally. This document becomes necessary as organizations face increasing regulatory scrutiny and data protection requirements, particularly under UK GDPR and the Data Protection Act 2018. It helps organizations maintain compliance, reduce storage costs, and mitigate legal risks by establishing clear guidelines for email retention and disposal. The policy is particularly crucial given the volume of business conducted via email and the need to balance record-keeping requirements with data minimization principles.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

England and Wales

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Email Records Retention Policy

An Email Records Retention Policy is a comprehensive legal framework that governs how your organization manages, stores, and disposes of electronic communications. Under England and Wales law, this policy serves as your roadmap for balancing data protection obligations with business record-keeping requirements, ensuring you maintain essential communications while avoiding unnecessary data accumulation that could expose you to regulatory penalties or increased storage costs.

When do you need this document?

You need an Email Records Retention Policy when your organization processes personal data through email communications, particularly if you handle employee, customer, or client information electronically. This becomes essential during regulatory audits, data protection impact assessments, or when responding to subject access requests under UK GDPR. The policy is crucial for public bodies subject to Freedom of Information Act obligations, companies maintaining statutory records under the Companies Act 2006, and any organization seeking to demonstrate compliance with data minimization principles. You'll also need this policy when implementing new email systems, during mergers and acquisitions, or when facing litigation where email evidence may be relevant.

Key legal considerations

Your Email Records Retention Policy must address several critical legal frameworks simultaneously. Under UK GDPR, you must establish lawful bases for processing personal data in emails and ensure retention periods align with data minimization principles, meaning you cannot keep emails longer than necessary for their original purpose. The policy must include procedures for responding to data subject rights, including deletion requests and data portability. For business emails, the Companies Act 2006 requires certain corporate communications to be retained for specific periods, typically six years for accounting records and indefinitely for constitutional documents. The Limitation Act 1980 affects minimum retention periods, as you may need emails as evidence for potential legal claims within statutory limitation periods. Your policy must also consider the Freedom of Information Act if you're a public body, establishing clear procedures for identifying and retrieving emails subject to information requests.

Legal requirements in England and Wales

England and Wales law imposes specific obligations that your Email Records Retention Policy must address comprehensively. Under the Data Protection Act 2018 and UK GDPR, you must appoint a Data Protection Officer if required, implement technical and organizational measures to protect email data, and maintain records of processing activities. Your policy must establish different retention periods based on email content: personal data should generally be deleted when no longer needed, while business records may require longer retention under sector-specific regulations. For financial services firms, additional retention requirements apply under FCA rules, while healthcare organizations must comply with NHS record retention schedules. Your policy must include provisions for cross-border data transfers if you operate internationally, ensuring adequate safeguards are in place. The policy should also address employee monitoring, ensuring any surveillance of email communications complies with employment law and privacy requirements while maintaining clear communication about monitoring practices to your workforce.

GOVERNING LAW

Applicable law

This Email Records Retention Policy is drafted to comply with England and Wales law. Key legislation includes:

UK General Data Protection Regulation (UK GDPR): Core data protection legislation covering data minimization, storage limitation principles, legal basis for processing personal data, and rights of data subjects

Data Protection Act 2018: UK implementation of GDPR including specific provisions for data processing, national security and law enforcement provisions

Freedom of Information Act 2000: Legislation applicable to public bodies covering information access rights and records management obligations

Companies Act 2006: Primary legislation governing company operations, including corporate record-keeping requirements and business correspondence retention

Limitation Act 1980: Defines statutory limitation periods for legal claims, affecting minimum retention periods for various types of records

Electronic Communications Act 2000: Legislation covering legal recognition of electronic communications and requirements for electronic signatures

Regulation of Investigatory Powers Act 2000: Legislation governing monitoring of business communications and related privacy considerations

Employment Rights Act 1996: Employment law covering employee-related communications and HR records retention requirements

Financial Services and Markets Act 2000: Regulatory framework for financial services including specific records retention requirements for regulated entities

Industry-specific regulations: Various sector-specific regulations including FCA requirements, healthcare regulations, and professional services regulations

Money Laundering Regulations 2017: Anti-money laundering legislation requiring retention of customer due diligence and transaction records

Tax legislation: HMRC requirements and VAT record-keeping obligations affecting email retention periods for tax-related correspondence

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it