The idea of keeping every email and record ‘just in case’ is no longer valid. A vital part of good data governance is knowing when there is a legal basis to retain information and when there isn't one. The POPI Act is clear: "records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed".
Information for which there is no legal basis for retention must be securely destroyed. If personal information is retained by a responsible party or one of its operators without a legal basis to do so, data subjects have the right to access their personal information in the possession of the responsible party or operator. Because data subjects have the right to object to the processing of their personal information, data subjects are entitled to receive information about the responsible party or an operator's processing operations.
Should a dispute arise between a data subject and a responsible party or operator about the lawful retention, and it is found that the responsible party or operator is not authorised to retain the information, the data subject may, in addition to lodging a complaint with the Information Regulator and seeking a settlement, the data subject may request that this information be destroyed or deleted, and to be provided to the data subject's satisfaction, with credible evidence in support of the information. In other words, the data subject is entitled to receive independent assurance that the information in dispute has been destroyed or deleted. This cost of assurance will be an additional cost of non-compliance with the POPI Act.
The POPIA platform includes a comprehensive records management system for the retention of email and records where a legal basis to do so exists.