Archive or Delete Leavers Google Workspace Mailbox?
It’s a common question that is often asked, should you archive or delete the Gmail mailbox of a Google Workspace account once the employee has departed? There are several factors to consider when approaching this topic. We believe that the most important is legislation, such as GDPR, LGPD and CCPA. As GDPR is one of the most comprehensive data protection laws in the world and is often the point of reference for other countries to model their respective citizen’s data security and privacy laws, we typically recommend that organisations attempt to comply with GDPR as a best practice guide where appropriate for their business.
Configure an Auto-Response
Before you decide to delete or archive a leaver’s Gmail, it’s recommended to configure an auto-response. The employee should be informed of the message that will be used but does not have the right to block or change it.
The message should simply inform, in neutral terms, that the intended recipient no longer works for the company and provides the contact details of the person who should be contacted instead. Ideally, this message should be standard throughout the organisation and documented within the IT policy. This auto-response should only be enabled for a reasonable period of time, between 1 to 3 months depending on the role of the employee.
Patronum can help you configure an auto-response as part of an offboarding policy. With a Patronum Policy, you can streamline the offboarding process and make sure that everyone is offboarded in a structured and consistent fashion.
Archiving Leavers Gmail
As we’ve discussed in the past, one of the guidelines for managing leavers’ email is to allow them, before they depart, to delete or forward personal emails. However, from our experience departing employees don’t need to be officially told to do this. Leavers will often tidy up their inbox by deleting their emails before they leave, sifting through potentially decades of emails is a tiresome task, so typically the leaver will delete all their emails before they depart. This creates a challenge for offboarding processes, as a leaver will generally start this cleansing process weeks before they actually leave the organisation. It is therefore pointless to attempt to download or extract a leaver’s email as they depart as it’s unlike to have any business benefit.
However, an employer has a legitimate interest (as defined in article 6.1 (f) – GDPR) in an employee’s historical email and as such the above practice is not compatible with the business requirement. In order to address this, regular and automated backups of employee email and other Google Workspace data should be taken. In addition to helping retain important information within the business, a backup can also help recover from malware and cyber-attack.
Patronum can help you back up your Google Workspace with our partnership with Afi.ai. Get in touch to learn how Patronum and Afi.ai work together to better secure your Google Workspace environment.
Google Workspace Archive User Licensing
An alternative approach to external archive solutions is to switch the Google Workspace account to a Google Workspace Archive User. When you archive one of your users via this mentioned, all Google Workspace services data is archived within Google Vault, and protected from data loss. An Archive User license prevents the user from accessing any of the Google services while keeping your company data safe in case you need to access your user’s data later on. It is recommended, in line with GDPR that you retain a minimal amount of employee data, and as such we recommend that you should only use a Google Workspace Archive User license for a maximum of 3 months. After which time you should delete the user account.
Patronum can help you automatically switch from a standard user license to a Google Workspace Archive User license (AU).
Delete Leavers email
Now that we’re established that externally archiving your leavers’ email is pointless and costly and that the Google Workspace Archive User license which also having a cost implication, should only be used temporarily. We can now turn our attention to when should we be deleting our leavers’ Gmail inbox and Google Workspace account.
As mentioned above, after our employee departs we should be sending auto replies to direct individuals to a new point of contact. This should be done for a maximum of three months, after which the Gmail inbox and Google Workspace account should be permanently deleted. Retention rules should also be configured within your backup solution to purge all backups for the account.
Patronum can help you configure a offboarding policy that can automatically configure auto reply, apply a Google Workspace Archive User license, and finally permanently delete the users Gmail and Google Workspace account. This means that you can stay compliant with GDPR and provide a clear and consistent approach for your employees fostering transparently and trust within your organisation.
The decision on what you should do when offboarding your leavers from Google Workspace must be defined within the IT policy and be fit for purpose based on your business and regional legislation and laws. GDPR recommends an approach to keeping the minimal amount of personal data, and only keeping personal data if there is a specific and lawful requirement.
To summarise we recommend:-
- Auto-responder – Use Patronum to set an auto-responder as part of an offboarding workflow.
- Backup – Make sure you have a regular and automated backup solution in place. We recommend and integrate with Afi.ai.
- Archive License – Allocate a Google Workspace archive user license for a maximum of 3 months.
- Deletion – Automatically delete users data 3 months after they have departed.