The purpose of the policy is to protect the company. This may be from litigation or from the cost of a fishing expedition -- think of the cost of having to pull everyone's every email *from backup*. Discovery permits the lawyers to go through your every backup because there just might be an email in there that proves their case and you might have deleted it.
If you have a policy that is generally followed that states when emails are deleted, you save yourself a lot of grief. But. You also need to have a process to stop this regular deletion if a court action is started or management has good reason to believe one is coming.
If you are in an environment where a six month old email saves you serious grief, it may be time to look for another job. I have been there and it always turns ugly. Being able to prove you are not at fault is not the same as proving you are right or to be trusted. Which is a drag, but nonetheless the case.
A good retention policy balances the business needs for retaining emails (which usually does not take CYA into account), regulations (like SOX and PCI and GLBA), and technology costs and efficiencies. A bad one picks a number out of a hat and flails. If the policy doesn't make sense, you could politely ask whether you could please have an exception. Policies are supposed to include exception processes.
Slashdot Mirror
The purpose of the policy is to protect the company. This may be from litigation or from the cost of a fishing expedition -- think of the cost of having to pull everyone's every email *from backup*. Discovery permits the lawyers to go through your every backup because there just might be an email in there that proves their case and you might have deleted it.
If you have a policy that is generally followed that states when emails are deleted, you save yourself a lot of grief. But. You also need to have a process to stop this regular deletion if a court action is started or management has good reason to believe one is coming.
If you are in an environment where a six month old email saves you serious grief, it may be time to look for another job. I have been there and it always turns ugly. Being able to prove you are not at fault is not the same as proving you are right or to be trusted. Which is a drag, but nonetheless the case.
A good retention policy balances the business needs for retaining emails (which usually does not take CYA into account), regulations (like SOX and PCI and GLBA), and technology costs and efficiencies. A bad one picks a number out of a hat and flails. If the policy doesn't make sense, you could politely ask whether you could please have an exception. Policies are supposed to include exception processes.