A Guide to Data Retention in Gmail

15 Nov 2024

6 min read

Gopika

With over 6 million business users, Gmail has grown to become Google’s most successful product yet and one of the most popular email clients globally.

Widespread adoption of Gmail by business users for everyday communication also means an increase in data loss due to human error and cyber threats.

This article explores the different ways in which Google Workspace administrators can retain Gmail data.

1. What is Gmail data retention?

Gmail data retention can be defined as the preservation of emails to prevent loss of critical data or to meet compliance regulations.

Google does not take responsibility for safeguarding any user Gmail data; this responsibility falls on an organization’s IT administrator.

1. 1. Default Gmail retention in Google Workspace

Deleted Gmail emails move to the user’s Trash where it stays for a 30-day period, during which time, the user can restore them directly. After the 30-day period, users will no longer have access to the deleted email in their Trash. However, an Administrator can restore the email(s) from the Admin Console within the next 25 days, after which the email gets permanently deleted.

Below is a diagram illustrating the movement of a Gmail email from the moment it gets deleted to the time of recovery (from the user recycle bin or the admin console).

For different ways to recover Gmail emails, click here.

Limitations of default Gmail retention

The default retention setting in Google Workspace alone is not enough:

The emails retained in a user’s Gmail account is counted towards the total Google storage (including the email attachments and the emails in the Spam and Trash folders).

Emails are permanently deleted after the retention period expires. Deleted emails are only stored for a limited period in the individual user recycle bin and the admin console- after which it is permanently deleted.

If a user account is deleted, all emails associated with that account are permanently lost, even from the Admin Console and Vault. Vault does not retain data from deleted accounts. To prevent unintended data loss, consider suspending the user account instead of deleting it.

1.2. Native retention settings to secure Gmail

Google Workspace also offers native retention settings in Google Vault to help organizations retain Gmail emails efficiently, and for a longer duration, even after it is deleted by the user.

According to Google, Vault is an information governance and eDiscovery tool that helps organizations retain, hold, search, and export users’ Google Workspace data.

Using Vault, organizations can:

Set retention rules to retain data for a specific period
Set retention rules to delete data after a certain date
Identify, preserve, and collect user data as a part of eDiscovery

Pro tip

An improperly configured retention rule can allow Gmail to immediately and irreversibly purge messages. Use caution when creating or changing retention rules. It's recommended to test new rules on a small subset of accounts before applying them to the entire organization to avoid unexpected data loss.

Below is a diagram summarizing the basic capabilities of the two data retention features available with Google vault.

To know more about what is Google Vault, Vault retention rules, holds, and license requirements, read our in-depth article.

1.2.3. Gmail retention using retention rules in Google Vault

Organizations can set specific retention rules to secure emails. With retention rules, organizations can:

Retain emails for a specific period: Organizations can configure retention rules in Google Vault to preserve relevant Gmail emails for a specific period. These emails will continue to be retained even when users delete the file.
Delete emails when no longer needed: Organizations can set retention rules to delete sensitive or unwanted emails from the user accounts and purge it from the Google systems.

There are two types of retention rules that can be applied to Google Workspace data-

Default Retention Rules and
Custom Retention Rules

Default retention rules

Organizations can modify/use a default retention rule to keep the emails in a service for all licensed accounts for a specific time. Default retention rules cannot be applied to specific accounts or time periods, and there can only be one default retention rule for each service.

Data retained under default retention rules is subject to being purged when the retention period expires, unless overridden by custom rules or holds.

Example of a default retention rule:

Retain all messages indefinitely: This ensures that all emails are kept until explicitly deleted, overriding any automatic purging.

Note: Organizations can apply a default rule apply only if a custom rule or a hold is not already in place.

Custom retention rules

Unlike default retention rules, custom retention rules can be fully customized to an organization’s needs. Custom retention rule set for Gmail and Groups can be set by organizational units, date ranges, and specific search terms.

Custom Gmail retention rules always supersede default retention rules, and if multiple custom retention rules apply to a Gmail message, the one with the latest expiration date takes precedence.

Retention periods can be set between 1 and 36,500 days (approximately 100 years). This flexibility allows organizations to either retain messages indefinitely or for a specific period depending on compliance needs.

Examples of custom retention rules:

Purge only deleted messages after 365 days: This rule purges messages that users have deleted after they have been in Trash for 365 days.

Purge messages after 365 days regardless of user deletion: This rule purges all messages after 365 days, even if users have not deleted them.

The Gmail retention rule with the latest expiration date takes precedence over the other rules.

How to secure Gmail emails using retention rules?

To set custom retention rule for Gmail email, follow the below steps:

Step 1: Sign-in to Google Vault using the Super Administrator credentials.
Step 2: Click “Retention”.
Step 3: Click “Custom Rules” from the navigation bar on top.
Step 4: Click “Create”.
Under "Service", select "Gmail", then click "Continue".
Choose which organizational unit the rule applies to. Click the field to open a chooser, then select the organizational unit. Click "Continue".
Choose how long to keep messages:
To permanently retain messages covered by this rule, select "Indefinitely".
To discard messages after a set time, select "Retention period" and enter the number of days (from 1 to 36,500).
If you set a retention period, choose what to do with messages when the retention period ends:
To purge only messages that are already deleted by users, choose the first option.
To purge all messages, including those not deleted by users, choose the appropriate option.
To purge all messages, including drafts and email templates, select the third option if necessary.
Step 6: Click "Create". If you set a retention period, check the confirmation box and click "Accept".

Warning: When setting a new retention rule, Vault can immediately purge data that exceeds the retention period, which may include data users expect to keep. Always verify your rule settings before applying them, and ideally test them on a subset of data first.

What happens when a Gmail email gets deleted after applying a retention rule?

Once a retention rule is applied, the data is preserved throughout the specified retention period even if the user deletes it from their account or Trash. However, if a retention rule expires and no other retention rules or holds apply, messages can be purged immediately. It's crucial to ensure that retention rules are appropriately configured and updated to prevent unintended data loss.

The diagram below illustrates how a deleted Gmail email can be recovered when a retention policy is applied.

1.2.4. Gmail retention using eDiscovery in Google Vault

eDiscovery is the process of identifying, preserving, and presenting data as relevant evidence in a legal case. Using “Matters” in Google Vault, administrators can run searches to identify, and place holds to preserve Gmail emails from different accounts. Gmail messages, attachments in Sent, Drafts (that are not deleted), Trash, Archive and Spam folders can be protected by Google eDiscovery.

Matters are virtual containers that hold all the searches, exports, and holds related to a specific eDiscovery project.

An eDiscovery hold takes precedence over any retention rule applied to specific content in Google Workspace services. When a message is placed on hold, Gmail cannot purge the message even after all applicable retention periods end.

How to secure Gmail emails using eDiscovery?

To place a hold on Gmail emails using the eDiscovery tool in Google Vault, follow the below steps:

Step 1: Sign-in to a Google Vault with Super Administrator credentials.
Step 2: Click “Matters”.
Step 3: Click “Create” or open an existing Matter.
Step 4: Click “HOLDS” from the top navigation bar.

Step 5: Click “Create”. Enter a name for the Hold,click “Gmail” under the Service drop-down. Choose a specific account or org units as the scope of the Hold,add conditions of the search (sent/received date, query terms).Click “CREATE”.

The emails on hold remain preserved until the hold is removed, the user account gets deleted, or the organization’s Vault license expires.

Administrators can remove the hold by deleting it.

Can you delete emails that are put on eDiscovery hold in Google Workspace?

Users can delete the emails from their accounts even if an eDiscovery hold is applied. The emails then disappear from the individual user’s account. TheSuper Administrator or a Vault user with specific privileges, however, can continue to search for, preview, and export the delete emails from the Vault.

Note: If a user account is deleted, all data associated with that account is also deleted from Vault, even if it was under a hold.

1.2.5. Can retention rules and eDiscovery holds be used as an alternative to cloud backup to secure Gmail emails?

In short, no. eDiscovery and retention rules cannot be used as an alternative to a third-party backup solution to secure Gmail emails. While their basic data protection capabilities can secure critical business data from getting deleted or lost, a third-party backup solution offers much more.

Unlike Vault, third-party backup solutions like SysCloud offer features like automated backups, single-click restores, cross-user email restore that decrease recovery times and minimize negative impact on productivity.

Absence of restore Features- Unlike SysCloud, backup Google Vault does not help with data restoration at the click of a button. Additionally, SysCloud also allows organizations to restore individual emails and labels to a different user account (cross-user restore).

Deleted user accounts- If an administrator removes a Gmail user account in the organization’s Google Workspace domain, all emails related to that user is lost even if the account was placed on hold.

SysCloud backup, on the other hand, retains all backed-up emails related to deleted or suspended users, at no additional cost.

Comprehensive Backup- While Google Vault’s eDiscovery and retention rules help organizations preserve emails, it is not a backup solution. Third-party backup tools like SysCloud are capable of automatically backing up all Gmail data. SysCloud backup also provides the capability to export or restore the backed-up content with just a few clicks.

Outages- Gmail outages lock users out of important data for hours, impacting business productivity. Unlike eDiscovery holds, backup tools like SysCloud can help organizations access their files during outages and continue work during the downtime.

Click here to know more about SysCloud.