Some organizations have specific templates and requirements for policies or procedures, so first check to see what policy-making resources already exist.
If a RIM manager or team already exists, they will be guiding the process to ensure emails that are also records receive consistent treatment in line with organization-wide records management requirements. Legal and compliance also need to participate.
The IT security team must get engaged to ensure the storage location has the appropriate size and security, based on the regulatory and legal requirements for the storage of this information.
If the organization has a risk management team, they need a seat at the table and, if not, someone with a legal background must consider the risk of what is being retained for business continuity or collaboration purposes. Each department that wants to retain emails for business continuity must participate in the policy-making process.
After assembling the right experts, the next step is gathering all the requirements for email retention in a consistent format. Some organizations will ask teams to make a business case to minimize the risks and challenges presented by saving too much email.
Not all emails that must be retained can or should be treated equally. Classifying emails into categories based on the reason for saving allows a retention duration to be specified for each class of email. Emails that serve as the paper trail for the company budget process probably don’t need to be saved beyond the fiscal year, while those documenting the submission of tax materials to an outside auditor, for example, likely need to be saved much longer.
The owner of each email retention requirement must classify email types so retention periods can be defined for that email type. This process creates groups of emails that receive the same treatment and the same retention duration.
Now that users know which emails they need to save, the next step is defining the best location for those emails to live. With harmon.ie, Microsoft 365 users can store emails on SharePoint or Teams without ever leaving Outlook.
Now that emails no longer live in personal drives, the organization must define who should have access to each storage location and develop a procedure for providing or rescinding access as needed.
Most lawyers and regulators won’t take your word for it, so the almost-final step is documenting the email types, where each type is stored, and the storage duration for each type. Make sure to document the departments that were involved, to whom the policy applies, and the next date of review.
The final step is to document sign-off from the required stakeholders and pat yourself on the back for a job well done!