Overview of the Most Important Regulations
It All Boils Down to This: Archiving is Necessary
In general, it is important to know that legal regulations, such as the Sarbanes-Oxley Act, require that e-mail messages containing business-relevant information must be securely archived in their original format and retained for a certain period of time.
In practice, this might mean that e-mail messages containing information relevant for taxation or bookkeeping purposes must be kept for up to ten years, and e-mail messages with other business-relevant information must be retained for up to six years in an audit-proof manner.
In addition to the requirements of the Sarbanes-Oxley Act, other regulations, such as the German Handelsgesetzbuch (HGB), Grundsätze zur ordnungsmäßigen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form sowie zum Datenzugriff (kurz "GoBD"), and the Basel II regulations also play an important role and stress the importance of e-mail archiving, no matter where your organization is located.
Article 147 of the Abgabenordnung (Revenue Code) states that retainable documents include sent and received trade and business correspondence, as well as other documents that are necessary for taxation purposes.
The GoBD becomes relevant for organizations whenever tax officers need to be able to obtain access to IT systems in order to conduct a company audit. The policies often define that information relevant for taxation purposes must be kept in a format that can be analyzed through automated processes, such as specialized analysis software used by financial authorities.
European General Data Protection Regulation (EU-GDPR)
The new European General Data Protection Regulation (EU-GDPR), partly also known as GDPR, regulates the processing of personal data. The Regulation is relevant for all companies and organisations processing data from EU citizens. In doing so, clearly formulated protection goals regarding confidentiality, integrity and availability of data as well as the resilience of systems and services must be observed. Further information on the European General Data Protection Regulation can be found here.
Basel II Regulations
Banks are required to consider compliance to the regulations set by the Basel II agreement when performing credit ratings of organizations. Special attention is paid to the respective risk management processes, which also include the implementation of e-mail archiving. If organizations show deficits in this area, the results often manifest in lower credit ratings, or, in more extreme cases, outright refusal of issuing loans.
The Sarbanes-Oxley Act is part of the federal law of the United States. Not only does it apply to organizations listed on US stock markets and their subsidiaries abroad, but also all companies that such organizations conduct trade with. Above all, it includes rules to ensure the improvement of financial reporting for organizations.