Home / The Email Risk
Email continues to be an essential communication tool, with over 4 billion users worldwide. As of 2024, approximately 361.6 billion emails are sent each day globally. (Oberlo, 2023.)
The continued reliance on email is a significant cyber security and data protection challenge due to the general lack of data retention management when it comes to managing the size of users inboxes.
A typical inbox size is 50Gb which if breached, is bound to have a very large amount of personal data. Also, if the inbox is in scope for a Data Subject Access Request (DSAR), this can result in considerably more time and effort to assess the data and respond accordingly.
Email inboxes are often compromised due to account harvesting, resulting in access to the contents and the personal data within it. If the inbox is large, then the more data is at risk and the more analysis is required to find out what data has been compromised.
The majority of data subject access requests include email as a source of the data. The larger the inbox, the more data has to be provided. Therefore, responding to the request will be more time consuming and likely to involve more cost.
Under Article 5, there is a legal requirement to manage retention of personal data. This means that a users inbox is in scope for management. A key aspect of the legal requirement is to only keep data as long as necessary. Therefore, it is difficult to justify an inbox size of 50Gb which may contain data going back many years which is no longer needed.
Email contains varied amounts and categories of personal data. In most cases, the owner of the inbox has not assessed the confidentiality or the retention requirements.
It is often the case that end users are using email as their document storage. They are not deleting their emails because they feel they need to be able to access the data at some point in the future. This should not be the case as email is not a document or personal data repository, it’s a messaging solution.
Data retention is where organisations store data that they use in their day-to-day operational activities. For example, they may store customer records for many years if they assess that this is needed for business purposes.
While data protection legislation (e.g. GDPR) does not set specific time limits for data retention, it follows the principle that data should only be kept as long as necessary. Article 5(1)(e) of the GDPR, known as the storage limitation principle, states that even if personal data is collected lawfully, it cannot be retained longer than needed to fulfill the purposes for which it was collected. However, personal data can be kept for extended periods if archived for public interest, scientific, or historical research, provided it is appropriately anonymised or encrypted.
Organisations are responsible for understanding the data they hold, the reasons for holding it, and determining whether the data should be erased or anonymised when it is no longer needed.
We are available during UK office hours.
Call Us : +44 330 027 2161
We are open from Monday to Friday
9.00 AM - 5.00 PM
Cyber Security 4 you is a trading name of Cyber21 Limited, a UK registered Limited Company.
The company provides affordable and cost-effective cyber security and data protection services and solutions.
Cyber21 Limited © Copyright 2025
