Help Centre
› Personal Email
› Email Hosting and UK GDPR
¶ Email Hosting and UK GDPR
Email is where personal data lives in most UK organisations — customer names, addresses, orders, complaints, health details, financial references. UK GDPR treats every email provider as a data processor acting for you, the controller. This reference covers the legal obligations of email hosting under UK GDPR, what to look for in a provider's contract, what an ICO audit typically examines, and how to handle breaches and subject-access requests.
UK GDPR (the UK-enacted version of the EU General Data Protection Regulation, post-Brexit) applies to any processing of personal data of UK residents. Email mailboxes — both inbound and outbound — contain personal data. Messages with names, email addresses, phone numbers, postal addresses, opinions about individuals, CVs, bank details, health references all count.
Key principles for email:
- Lawful basis. You must have a lawful basis for storing personal data in mail (contractual necessity, consent, legitimate interests). Business correspondence is usually contractually necessary.
- Purpose limitation. Email data should be used for the purpose you collected it for, not re-purposed indefinitely.
- Data minimisation. Do not ask for or keep more data than necessary. Regular mailbox pruning matters.
- Accuracy. Keep contact details up to date.
- Storage limitation. Define and apply retention periods.
- Integrity and confidentiality. Email must be protected with appropriate technical and organisational measures (TLS, access controls, MFA).
- Accountability. You must be able to demonstrate compliance.
In UK GDPR terms, when you use a hosted email service:
- You (the business or individual) are the data controller. You decide why and how personal data is processed.
- The email provider is the data processor. They process data on your behalf, following your instructions.
The relationship must be formalised in a written Data Processing Agreement (DPA). Without one, your processing is not compliant — and a finding of non-compliance could attract a formal ICO response.
SmartXHosting operates as processor for its customers; the standard DPA is included in all Business Email and Private Email subscriptions and published publicly.
A DPA between you and your email provider must cover, per UK GDPR Article 28:
- The subject matter and duration of processing.
- The nature and purpose of processing.
- The type of personal data and categories of data subjects.
- Your obligations and rights as controller.
- The processor's obligations to process only on your documented instructions.
- Confidentiality commitments for staff with access.
- Security measures the processor applies (the "appropriate technical and organisational measures" of Article 32).
- Sub-processor engagement rules (who processes on behalf of the processor, and how you consent to changes).
- Data subject rights assistance.
- Breach notification obligations.
- Audit and inspection rights for the controller.
- End-of-engagement data return or deletion.
Before signing up for any email service, read the DPA. All major providers publish theirs; a surprise at contract signature is a bad sign about how seriously the provider takes its obligations.
UK GDPR does not explicitly require UK data residency — data can leave the UK if adequacy or safeguards apply. But residency has practical advantages:
- UK-stored data is fully within UK jurisdiction. No cross-border transfer compliance questions.
- Law enforcement access is by UK warrant, not foreign subpoena. CLOUD Act (US) does not apply.
- Incident response is faster and more transparent when the data lives down the road rather than on another continent.
- Some procurement contexts (UK public sector, some regulated finance) require UK residency.
SmartXHosting hosts all UK customer data in UK data centres with EU disaster-recovery failover. Microsoft and Google offer UK residency via configuration (Microsoft's Advanced Data Residency add-on; Google's UK Data Region option). Neither is default — check your tenant configuration.
Article 32 of UK GDPR requires "appropriate technical measures to ensure a level of security appropriate to the risk". For email this typically means:
- In transit: TLS 1.2 or higher on all protocol traffic (SMTP, IMAP, webmail).
- At rest: storage encryption on server disks (LUKS, cloud-equivalent).
- End-to-end where applicable: S/MIME or PGP for particularly sensitive correspondence.
- Backup encryption: backup media encrypted too.
- Key management: documented, with access logged.
Default provider configurations usually meet the bar. Advanced needs (end-to-end for patient or client-privileged data) require extra configuration.
UK GDPR does not prescribe specific retention periods — it requires you to define and justify them. Typical UK business retention periods:
- Customer correspondence: 7 years (matches most commercial record-keeping conventions).
- Employee records in mail: 6 years after end of employment (HMRC PAYE records).
- Financial records: 6 years (HMRC) to 7 years (accounting audit).
- Professional services (legal, medical): 7-15 years depending on sector.
- Marketing consent records: as long as the consent is valid, plus 2-3 years for dispute buffer.
- Transient correspondence with no ongoing business purpose: 1-2 years.
Apply retention via auto-archive rules, auto-purge of Trash and Spam, and periodic mailbox reviews. Regulated sectors should also consider journaling to a compliant archive (Mimecast, Smarsh) for FCA, SRA or MiFID II obligations.
Individuals have rights under UK GDPR that intersect with email data:
- Right of access (SAR). Individuals can ask what data you hold about them. You must respond within 30 days. Email searches are usually the biggest component of a SAR response.
- Right to rectification. Correct inaccurate data. For email, this usually means updating forward-looking contact details; past correspondence is the historical record.
- Right to erasure. The "right to be forgotten" applies to personal data with no ongoing lawful basis for retention. Exempts legal, financial, and regulatory obligations.
- Right to restriction. Pause processing while a dispute is resolved.
- Right to data portability. Provide data in a machine-readable format.
- Right to object. Particularly relevant to marketing uses.
Your email platform should support efficient search across all mailboxes and archives — a SAR response is a 30-day statutory deadline, not a negotiable one. Axigen's full-text search across mailboxes supports this flow.
UK GDPR Article 33 requires controllers to notify the ICO of personal data breaches within 72 hours of becoming aware, unless the breach is unlikely to result in risk. A common email-related breach:
- Compromised mailbox with personal data inside — notify ICO.
- Mail sent to the wrong recipient containing personal data — minor, may not meet threshold unless sensitive.
- Large-scale phishing-caused account takeover — notify ICO, possibly notify affected individuals.
- Provider suffers outage affecting availability — availability breach; notify depending on scale.
Preparation: keep audit logs for at least 90 days, have an incident response plan naming roles and steps, know your provider's breach-notification obligations (in the DPA).
When the ICO enquires about your email data handling (either routinely or after a complaint), typical examinations:
- Evidence of DPA in place with the email provider.
- Evidence of security controls — MFA on admin accounts, password policies, session timeout.
- Documentation of retention policies.
- Records of SAR responses — within time, accurate.
- Data flow maps showing where email data flows (including to the provider).
- Breach register — even for breaches not reportable to ICO, records should exist internally.
- Staff training — evidence that employees understand email handling policies.
- Healthcare. Data Security and Protection Toolkit (DSPT) compliance. Patient data in email requires S/MIME or secure portal handling. NHS.net for UK NHS correspondence.
- Legal. Solicitors Regulation Authority (SRA) record-keeping: seven years for client files. Long retention, WORM archive typical.
- Financial services. FCA SYSC 9 record keeping. SMCR-certified staff communications journaled to Smarsh/Mimecast-style compliance archive.
- Public sector. National Cyber Security Centre Mail Check external validation. FOI requests touch email archives — searchability matters.
- Education. Child safeguarding considerations; staff-pupil communication often restricted to controlled platforms (not personal email).
- DPA signed with email provider.
- UK data residency chosen or confirmed.
- MFA enabled on all admin accounts; strongly encouraged on all users.
- Password policy at least 12 characters with complexity or passphrase.
- TLS 1.2+ on all email traffic.
- Retention policies documented per data category.
- SAR response process documented and tested.
- Breach response plan documented; key contact identified.
- Audit logs retained at least 90 days (longer for regulated sectors).
- Sub-processor changes reviewed before acceptance.
- Annual review of all of the above.
Q: Do I need a DPA if I am a sole trader using email for business?
A: If you handle personal data of UK residents, yes. UK GDPR applies to sole traders the same as to limited companies.
Q: Is free Gmail UK GDPR-compliant for business use?
A: Google's paid Workspace has a proper DPA. Free Gmail does not have a DPA for business-scale processing — using it for business correspondence is non-compliant.
Q: How long must I keep personal data in email?
A: There is no one answer. Depends on purpose and applicable statutory periods. Document your retention policy and apply it consistently.
Q: Can I just delete emails to comply with the right to erasure?
A: Not always. If the data is needed for legal, financial or regulatory purposes, retention obligations override erasure rights. Document the justification.
Q: What happens to my data when I cancel?
A: A DPA-compliant provider returns or deletes your data on your instructions at end of service. SmartXHosting retains for 30 days post-cancellation by default, longer on request, with full deletion within 90 days unless held for legal reasons.