GDPR: Your emails - Take action now
11 Apr 2018
Data protection is everyone’s responsibility
Under GDPR an individual can request all of the person identifying information (PII) we hold about them, including anything contained in your emails, and the University only has 30 days to respond to such a request. You are responsible for keeping the information you have in your email and on your computer for only as long as the University has said it will in the Records Retention Schedule.
As part of the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, all staff must check and permanently delete information, including emails, containing person identifying information (PII) that is beyond its retention period.
This is because holding PII longer than necessary will breach the GDPR. In addition, the requirement for individual staff to search their email account very quickly at short notice whenever we receive a data protection subject access request will place a significant burden on those staff and the University more generally. Reviewing your inbox now will save time later.
Under GDPR the University can only retain PII in line with the Records Retention Schedule (RRS). This sets out the maximum period different categories of information that can be retained based on the requirements of the University and applies to all records. It must be published so that individuals can see how long their personal information is kept.
You will soon be asked to confirm that you are applying the records retention schedule and deleting unnecessary PII in accordance with it. Duplicate copies of documents or draft versions can also be deleted as soon as they are no longer needed and this is particularly relevant to email accounts which often contain these types of information.
For further guidance on how to clear out your email visit the GDPR pages of StaffNet.