The AIIM Blog - Overcoming Information Chaos

8 Things to Remember When Implementing an Email Policy

Written by John Mancini | Nov 12, 2009 4:47:27 PM

1. Have a policy in place

A necessary step in professionalizing your email management is to develop and publish an email policy.

But what is an email policy? It is a written proclamation from top management or an authorized board like the corporate compliance office. It outlines the general requirements, principles, and rules for the use of email inside your organization.

Why is it necessary to have an email policy? Because email is not an option in today's business! In 2008, BearingPoint conducted a survey on email management. More than 90% of all participants claimed email as important or very important for internal and external communication. About two-thirds of the respondents indicated that more than 25% of their emails contain business-critical information, and one-third indicated that emails contain more than 50% business-critical information.

But in more than 50% of companies, the user is the one who decides about whether and when to delete or archive an email. Less than 50% of companies have an email policy in place. To ensure legal compliance and to protect both the company and the users from misuse of the email system, you need to establish a policy framework for developing, enforcing, and monitoring an email policy.

2. Define ownership and involve the stakeholders

Remember that an email policy affects your organization and all of your employees. Make sure that, at minimum, the legal/compliance department, IT department, HR, and the board of directors are involved in developing the policy in order to reflect all viewpoints in the organization. And if you are located in Europe, don’t forget to involve your workers’ council. To ensure a mature and effective policy, it’s absolutely necessary to define who is responsible for developing, monitoring, and updating the policy. Typically the corporate compliance office is the owner of this policy.

3. Define the objectives and usage

Your policy should use clear and simple wording to be effective. Use bullet points to define the objectives of the policy and the proper use of email so that employees can easily find rules they are unsure of.

Define the purpose of the policy. Some typical purposes include:

  • To ensure the proper use of the company’s email system
  • To guide all users that create, use, and manage email as part of the daily business
  • To make users aware of what your company deems acceptable and unacceptable use of its email system

The policy additionally defines the usage of your email system:

  • Who is allowed to use the system? Is it only internal staff or external partners working for the company too?
  • Permitted uses - is the use of email allowed for business purposes only? If private use of email is occasionally allowed, remember to do some investigation into already existing company policies and ensure that your email policy is compatible with these existing policies.
  • Restrictions for using the email system.

4. Do not forget retention and disposition

Your policy should cover the aspects of retention and disposition. Emails and attachments should be classified and archived according to a retention schedule. A retention schedule describes all document types that need to be archived and is ordered by the defined retention periods per document type. Keep this schedule clear and easy to use. Retention is one side of the coin; the other is disposition. This section of the policy should state that emails need to be disposed at the end of the lifecycle.

5. Remember eDiscovery issues

Of course, disposition is not allowed when your company is under legal hold during litigation. When developing a policy for email archiving, make sure to include a section dealing with eDiscovery issues. This section should describe what happens when your company is hit by litigation or a subpoena. It should state the mandatory process of litigation hold and all responsible contacts.

6. Train your employees

Parallel to publishing your email policy via internal communication mechanisms like newsletters or intranet sites, you should train your employees and verify their awareness of the policy. Training and verification are important success factors for obtaining user adoption of your policy. The objective is to get users aware of how to work and how to comply with the new policy and procedures. According to BearingPoint’s survey, over 50% of the respondents use newsletters to verify that their employees are aware of a policy. 25% use learning mechanisms. Make sure to monitor for compliance with the policy.

7. Monitor enforcement

Be sure that the policy is used and accepted. Collect feedback about it. If required, refresh the training.

8. Develop a policy management framework

Put things together: stakeholder, usage, legal issues, retention, archiving, security, enforcement, training, and monitor. Follow the lifecycle of information for your policy management: policy development, training, and auditing.