[loftsy]

I called the ICO a few years ago asking how to comply with an ex-employee GDPR data request for access to their emails. Their recommendation: read them all to determine which contained personal data.

When I told them I (as a 5 person business) obviously don't have time to go through 1000s of old emails they reacted with surprise to the amount of emails. I guess they don't send many. They didn't offer any other solution.

As others have mentioned this org is a tax on all UK business.

[mytailorisrich]

"For personal data protection purposes, your emails were deleted when you left the company" ;)

[swiftcoder]

Yeah, this. The easiest way to comply with the GDPR is not to store personal data. The second easiest is to delete it as soon as it is no longer required (this includes from backups!)

[mytailorisrich]

This was a bit tongue in cheek.

In the UK I would keep business emails for at least 6 years as that's the limit for lawsuits.

[swiftcoder]

Do you actually want those emails to be unearthed during a lawsuit 5 years from now?

At least one firm I worked with had a mandatory 180-day delete of any correspondence not specifically tagged for archival, and the stated reason was to prevent all their random conversations being exposed during discovery if they were prosecuted.

[mytailorisrich]

You are answering your own question, I think. Yes you want to keep emails unless obviously you think they may be incriminating.

The usual advice, though, is obviously not to put in writing what you don't want to be found later...

[swiftcoder]

It's hard to tell a priori what will be incriminating, especially once there is more than one person's email involved