The European General Data Protection Regulation (GDPR) has been legally binding for 32 months since May 25, 2018, and a lot has changed since then. But what exactly has changed? And what was its goal?
Its goal:
To establish a uniform level of data protection across the entire EU.
It regulates the protection of personal data. Companies and businesses, in particular, manage and process sensitive datafrom employees and customers. They had to familiarize themselves with the new regulations and implement technical, organizational, and procedural requirements.
What Did the Change Mean for IT?
Email Archiving Became a Focus
The internal corporate email archive had to be adapted to comply with legal regulations, especially regarding the long-term storage of emails.
Business emails frequently contain personal data. The right to access information and the right to be forgotten are protected rights under the GDPR for individuals whose data is processed.
The Principles for Proper Management and Retention of Books, Records, and Documents in Electronic Form(GoBD), introduced in 2014, already had a high degree of alignment with GDPR and its data protection regulations, particularly in terms of IT security. Companies that used GoBD-compliant software had an advantage.
Having GoBD-compliant software is a crucial first step toward meeting GDPR requirements for email archiving.
According to GoBD, an email must be archived if it serves as a business or commercial letter or a booking receipt.
However, if an email is only a transport medium (e.g., containing an invoice as an attachment), only the attachmentmust be retained, not the email itself. A printed version of the invoice is not sufficient.
What Does “Archiving” Mean?
Archiving is the long-term storage of data on a separate storage medium.
- The purpose is not primarily data recovery in case of loss but rather documentation.
- The retention period depends on the type of data.
- Business emails must be stored for six to ten years.
- Small businesses are exempt from this regulation.
Key legal regulations for businesses can be found in the German Commercial Code (HGB) §§ 238 and 257 and the German Tax Code (AO) § 147, which specify different retention periods for business documents.
Furthermore, the format of emails and attachments must be fully searchable. If email properties are relevant for tax purposes, they must be preserved.
Thus, companies should ensure that digital long-term archiving is carried out with software that is GoBD-compliantand certified according to IDW PS 880 (audit standard of the German Institute of Auditors).
With integrated search functions, businesses can provide employees or customers with information about stored data(digital correspondence and attachments) upon request—thus complying with GDPR requirements.
Businesses should play it safe and archive emails reliably.
At Aobis, we provide expert IT solutions, ensuring your entire IT infrastructure remains compliant.