Why Email Is a Compliance Issue for Regulated Professions
Here is a scenario that plays out more often than most professionals care to admit. A solicitor sends a confidential settlement offer to a client using their personal Gmail account because the office system was being awkward that morning. An accountant forwards a client's tax return to a colleague using an unencrypted email service because it was faster. A financial adviser emails a portfolio summary to a client without realising the email passed through servers in three different countries before it arrived.
In each of these cases, the professional has likely breached their regulatory obligations — even though no data was stolen, no client complained, and nobody noticed. The breach is in the lack of proper controls, not in any specific bad outcome. Regulators do not wait for something to go wrong. They expect you to have the right systems in place before anything happens.
For most UK businesses, email is simply a communication tool. You send messages, you receive messages, and as long as they arrive, everything is fine. But if your profession is regulated — by the Solicitors Regulation Authority, the Financial Conduct Authority, the Institute of Chartered Accountants, the Care Quality Commission, or any number of other bodies — your email system is subject to specific rules about confidentiality, security, data retention, and data sovereignty.
According to the Information Commissioner's Office, the professional services sector — including law firms, accountancies, and financial services — consistently ranks among the top five sectors for reported data breaches in the UK. Email is the most common channel through which these breaches occur.
The consequences of non-compliance are not theoretical. The SRA has issued fines and sanctions to law firms for inadequate cyber security. The FCA has penalised firms for failure to maintain proper records of electronic communications. The ICO has fined organisations across every regulated sector for GDPR violations involving email. And in healthcare, breaches of patient confidentiality can result in professional misconduct proceedings that end careers.
This article walks through the email requirements for four of the most commonly regulated sectors in the UK: legal, accounting, financial services, and healthcare. It then identifies the common threads that apply across all of them, and provides a practical checklist for choosing an email provider that makes compliance straightforward rather than stressful.
Solicitors: What the SRA Expects
If you are a solicitor, a conveyancer, or run any firm regulated by the Solicitors Regulation Authority, your email obligations are woven into almost every aspect of your professional duties. The SRA does not have a single document titled "email rules for solicitors." Instead, the requirements emerge from several overlapping frameworks that, taken together, set a very clear standard.
Client Confidentiality in All Communications
The SRA Standards and Regulations place client confidentiality at the centre of professional conduct. Principle 6 requires you to act in the best interests of each client, and the Code of Conduct for Solicitors makes clear that you must keep the affairs of current and former clients confidential. This applies to every form of communication — and in modern practice, the vast majority of client communication happens over email.
What does this mean in practice? It means that every email containing client information must be transmitted securely. Encryption is not a nice-to-have — it is the mechanism by which you fulfil your duty of confidentiality in electronic form. If you send an email containing a client's financial details, a case strategy, or a settlement discussion, and that email is intercepted because it was not encrypted, you have failed in your duty.
The SRA's published cyber security guidance specifically warns that email is one of the most common vectors for data breaches in law firms. Firms that do not implement basic email security measures — including encryption, access controls, and staff training — are at risk of regulatory action even if no breach has occurred.
Encryption for Sensitive Client Data
The SRA expects firms to use encryption when transmitting sensitive client data. Think of encryption like sealing a letter inside a tamper-proof envelope: even if someone intercepts the letter during delivery, they cannot read its contents without the key to open the seal. Without encryption, your email travels across the internet in a form that can, in theory, be read by anyone who manages to intercept it — like sending a postcard instead of a sealed letter.
Modern email providers should encrypt your messages in two ways. In transit means the email is encrypted while it travels from your outbox to the recipient's inbox. At rest means the email is encrypted while it sits on the server, so even if someone gains access to the server itself, the contents remain unreadable. Both matter for regulatory compliance.
Data Retention
Solicitors are expected to retain client files for minimum periods that vary depending on the type of matter. General guidance suggests at least six years after the matter closes, though certain categories — conveyancing files, wills, trust documents, matters involving minors — may require retention for considerably longer, sometimes indefinitely. Your email system must be capable of retaining and retrieving correspondence for these periods. A provider that automatically deletes old messages or limits your storage to a small quota is a compliance risk.
Professional Email Address
The SRA's guidance on firm identity expects that client-facing communications come from a professional, branded email address — yourname@yourfirm.co.uk, not yourname@gmail.com. This is not merely cosmetic. A domain-based email address allows you to implement email authentication (the digital mechanisms that prove your emails are genuinely from your firm), gives you control over access when staff leave, and presents a professional identity that clients and other parties can trust.
GDPR Compliance
As a data controller, every solicitor's firm must comply with the UK General Data Protection Regulation. For email, this means maintaining records of data processing activities, being able to respond to subject access requests (where a client or other individual asks for copies of all data you hold about them, including emails), and ensuring that personal data is stored securely with appropriate access controls. Your email provider's data processing agreement — a legal document setting out how they handle your data — should be readily available and should confirm that data is processed lawfully and stored within an appropriate jurisdiction.
Cyber Security Expectations
The SRA published specific cyber security guidance following a series of high-profile attacks on law firms. This guidance covers email security directly, recommending two-factor authentication, encrypted connections, staff training on phishing, and incident response planning. While framed as guidance rather than binding rules, the SRA has made clear that firms which ignore this guidance and subsequently suffer a breach will face a much harder time demonstrating that they met their regulatory obligations.
Accountants: ICAEW, ACCA and CIMA Requirements
Accountants in the UK operate under several regulatory bodies, the most prominent being the Institute of Chartered Accountants in England and Wales (ICAEW), the Association of Chartered Certified Accountants (ACCA), and the Chartered Institute of Management Accountants (CIMA). Each has its own code of ethics and professional standards, but the email-related requirements are remarkably consistent across all three.
The Professional Duty of Confidentiality
All three bodies require members to maintain the confidentiality of information acquired as a result of professional relationships. For accountants, this means every email containing client financial data — tax returns, profit and loss statements, payroll information, management accounts — must be handled with appropriate security. Sending a client's financial records over an unencrypted email connection is a confidentiality risk, regardless of whether anyone actually intercepts it. The duty is to take reasonable steps to protect the information, and using an insecure email channel is not a reasonable step.
Anti-Money Laundering Considerations
Accountants are subject to the UK's anti-money laundering regulations and are required to carry out customer due diligence, report suspicious activity, and maintain records of their AML procedures. Email plays a central role in this: much of the due diligence documentation arrives by email, suspicious activity reports may reference email communications, and HMRC can request evidence of AML compliance at any time. Your email system must be capable of retaining and retrieving these records reliably. If HMRC asks for evidence of the due diligence you performed on a client three years ago and the relevant emails have been deleted or cannot be found, you have a serious problem.
HMRC requires financial records to be retained for a minimum of six years. For accountancy firms, this extends to email correspondence that forms part of the client file, including engagement letters, tax computations, queries, and advice — all of which are routinely sent by email.
Data Retention for Financial Records
HMRC requires businesses and their agents to retain financial records for at least six years. For accountancy firms, the relevant emails include engagement letters, tax computations, client queries, correspondence with HMRC on behalf of clients, and any advice given. Your email provider must offer sufficient storage and retention to meet this requirement without requiring you to manually archive messages to external storage — a process that is both cumbersome and error-prone.
Professional Indemnity Insurance
Most accountancy bodies require members to hold professional indemnity insurance. Insurers increasingly examine the security practices of the firms they cover, and some policies include conditions around data security. If your insurer discovers that you were using an insecure email service — no encryption, no two-factor authentication, no access controls — and a data breach occurs, they may argue that the claim falls outside the policy's coverage. Ensuring your email meets basic security standards is not just a regulatory requirement; it may be an insurance requirement as well.
Client Communication Standards
All three bodies expect professional, branded communication with clients. Just as a solicitor is expected to correspond from a firm email address, accountants should use a professional domain — yourname@yourpractice.co.uk. This gives you full control over the domain's email authentication settings, ensures you can manage access when staff join or leave, and projects the professional image that clients expect from their accountant.
Financial Services: FCA Rules on Electronic Communications
If your firm is regulated by the Financial Conduct Authority, your email obligations are among the most explicit and demanding of any UK profession. The FCA regulates a vast range of businesses — from investment firms and insurance brokers to financial advisers and payment services providers — and its rules on electronic communications reflect the high stakes involved when financial information is exchanged.
SYSC and Record-Keeping
The FCA's SYSC sourcebook — which stands for Senior Management Arrangements, Systems and Controls — requires regulated firms to maintain adequate records of all communications relating to their regulated activities. This includes email. In practical terms, it means your firm must be able to produce email records when the FCA requests them, and those records must be complete, accurate, and accessible.
For many FCA-regulated firms, this is not a vague aspiration — it is tested during supervisory visits. The FCA may ask to see email correspondence relating to specific client interactions, complaint handling, or transaction records. If you cannot produce these records because your email system has limited retention, or because messages were deleted, or because you changed providers and lost the archive, you are in breach of SYSC requirements.
MiFID II Record-Keeping
Investment firms subject to the Markets in Financial Instruments Directive II (MiFID II) face even stricter requirements. MiFID II requires firms to retain all electronic communications relating to transactions — including emails — for a minimum of five years. Some firms interpret this conservatively and retain records for seven years. The records must be stored in a format that allows them to be retrieved and provided to the FCA upon request.
The FCA has fined firms for failure to maintain adequate records of electronic communications. In several published cases, the inability to produce email records during a regulatory investigation was cited as an aggravating factor that increased the severity of the penalty.
Email Monitoring and Archiving
For larger FCA-regulated firms, email monitoring is a requirement — not just retaining emails, but actively reviewing them for compliance issues, insider dealing risks, and market abuse. Even smaller firms that are not required to monitor email actively are expected to have the capability to review and produce email records when needed. This means your email provider must support archiving — the ability to keep a complete, searchable, tamper-proof copy of all email communications for the required retention period.
Data Security
The FCA expects regulated firms to maintain robust data security, and breaches must be reported. For email, this means encryption in transit and at rest, strong access controls (including two-factor authentication), and audit logging that shows who accessed what and when. If a data breach occurs and the FCA discovers that your email system lacked basic security controls, the regulatory consequences will be significantly more severe.
Clear, Fair and Not Misleading
The FCA requires all client communications to be clear, fair and not misleading. While this primarily relates to the content of communications rather than the email system itself, it reinforces the importance of a professional email setup. Emails sent from free, consumer email addresses — with advertisements in the footer, or with domain names that do not match your firm's registered identity — undermine the clarity and professionalism that the FCA expects.
Healthcare: CQC, GMC and Patient Confidentiality
Healthcare providers in the UK operate within one of the most stringent regulatory environments for data protection. Whether you are a GP practice, a private clinic, a dental surgery, a care home, or a mental health provider, your email obligations are shaped by a layered set of requirements that go beyond even GDPR.
Patient Confidentiality: A Layered Obligation
Patient confidentiality in the UK is protected by three overlapping frameworks. First, the common law duty of confidentiality — a long-established legal principle that information shared in a medical context must be kept confidential. Second, the UK GDPR and Data Protection Act 2018 — which classify health data as a special category requiring additional protections. Third, the Caldicott Principles — a set of seven principles established specifically for the handling of patient-identifiable information in the NHS and extended to the wider healthcare sector.
Together, these frameworks mean that any email containing patient information — appointment details, clinical notes, test results, referral letters, prescriptions — must be handled with the highest level of security. The consequences of failure are severe: disciplinary action by the General Medical Council (GMC) or Nursing and Midwifery Council (NMC), enforcement action by the Care Quality Commission (CQC), fines from the ICO, and civil litigation from affected patients.
NHS Data Security and Protection Toolkit
If your healthcare practice interacts with the NHS in any capacity — including receiving referrals, sharing patient records, or accessing NHS systems — you may be required to complete the NHS Data Security and Protection Toolkit (DSPT). This is an annual self-assessment that evaluates your organisation's compliance with data security standards. Many private healthcare providers are surprised to discover that they need to complete it.
The DSPT includes specific questions about email security: whether email containing patient data is encrypted, whether access to email accounts is controlled and auditable, and whether staff have completed information governance training. Your email system must support these requirements, and your provider should be able to confirm that data is encrypted both in transit and at rest.
The Caldicott Principles were updated in 2020 to include a seventh principle: "The duty to share information is as important as the duty to protect patient confidentiality." This means healthcare providers need email systems that can securely share information with authorised parties — not just lock everything down.
Encryption Is Non-Negotiable
For healthcare providers, email encryption is not a recommendation — it is a requirement. Any email containing patient-identifiable data must be encrypted in transit. The NHS guidance on secure email previously required NHS organisations to use specific encrypted email services, though the requirements have evolved to accept any service that meets defined security standards. For private healthcare providers, the principle remains: if you email patient information, the connection must be encrypted. Period.
Audit Trails
Healthcare regulators expect organisations to maintain audit trails for access to patient information. For email, this means your provider should offer logging that shows when accounts were accessed, from which devices, and what actions were taken. If a patient complains that their information was shared inappropriately, you need to be able to investigate who had access to the relevant emails and when they accessed them.
Information Governance Training
The CQC and the DSPT both require staff to complete information governance training. While this is a training requirement rather than an email system requirement, it intersects with your email setup: your system should support policies that reinforce training, such as enforced two-factor authentication, automatic session timeouts, and the ability to restrict access based on roles.
Common Requirements Across All Regulated Sectors
Despite the differences between solicitors, accountants, financial advisers, and healthcare providers, the email requirements across all regulated sectors converge on a remarkably consistent set of principles. If you work in any regulated profession in the UK, these are the non-negotiable foundations of a compliant email system.
Professional Email Address
Every regulated body, without exception, expects professional communications from a branded domain — yourname@yourfirm.co.uk. A free email address such as @gmail.com, @yahoo.com, or @outlook.com is not acceptable for regulated professional correspondence. It undermines client trust, prevents you from implementing domain-level security, and makes it impossible to manage email access centrally when staff join or leave your organisation.
Data Stored in the UK or EU
Data sovereignty is a recurring theme across every regulated sector. The UK GDPR requires that personal data transferred outside the UK or EU is subject to appropriate safeguards. For regulated professions, the simplest way to meet this requirement is to use an email provider that stores data exclusively in UK or EU data centres. This eliminates the need for complex data transfer assessments and gives you a straightforward answer when a regulator asks where client data is stored.
Encryption in Transit and at Rest
Encryption is expected by the SRA, required by the FCA, mandated for healthcare providers, and a fundamental GDPR obligation for all data controllers. Your email must be encrypted while it travels between sender and recipient — think of it as a sealed, tamper-proof envelope around every message. Ideally, it should also be encrypted while stored on the server — like keeping those envelopes in a locked vault rather than an open filing cabinet.
Access Control and Two-Factor Authentication
Every regulatory framework expects appropriate access controls. In email terms, this means each user has their own account with a unique password, access can be granted or revoked centrally by an administrator, and two-factor authentication is available — and ideally enforceable. Two-factor authentication adds a second step to login: after entering your password, you must also provide a short code from an app on your phone, like having two locks on your front door instead of one.
Data Retention and Archiving
Whether it is six years for solicitors and accountants, five years for FCA-regulated firms, or variable periods for healthcare records, every regulated profession must retain email correspondence for defined minimum periods. Your email provider must offer sufficient storage, reliable retention, and the ability to search and retrieve historical messages. Archiving — keeping a separate, tamper-proof copy of all communications — is ideal, and is a requirement for some FCA-regulated firms.
Audit Logging
Regulators expect you to know who accessed what and when. Your email provider should maintain logs of login activity, including timestamps, device information, and approximate location. These logs are essential for investigating potential breaches, responding to regulatory inquiries, and demonstrating that your access controls are working.
Incident Response
Every regulatory framework requires organisations to have a plan for what happens if something goes wrong. For email, this means knowing what to do if an account is compromised, if a phishing attack succeeds, or if data is accidentally sent to the wrong recipient. Your email provider should support incident response by offering rapid password resets, the ability to revoke access to specific devices, and cooperation with investigations when needed.
Business Continuity
Email must keep working. Downtime is not just inconvenient — for regulated professionals, it can mean missed court deadlines, delayed financial filings, or failure to respond to urgent patient queries. Your email provider should offer high availability, reliable infrastructure, and — for critical operations — the option of dedicated server resources that are not shared with other organisations.
Every epost.plus business email account includes enforced encryption (TLS in transit, encrypted storage at rest), two-factor authentication, UK and EU data centre hosting, and full email authentication configured by default. These are not premium add-ons — they are included in every plan, giving regulated firms a compliant email foundation from day one.
What to Look for in an Email Provider: The Compliance Checklist
If you work in a regulated profession and you are choosing — or re-evaluating — your email provider, the following checklist covers the features that matter for compliance. Not every provider will meet all of these criteria, but a provider that falls short on several of them is a compliance risk that you should take seriously.
UK or EU Data Centres with Confirmed Jurisdiction
Your provider should be able to confirm, in writing, that your email data is stored in data centres located in the UK or EU. "Primarily stored in" or "usually processed in" is not good enough — you need a definitive answer. If the provider cannot tell you where your data physically resides, that is a red flag.
Full Domain Protection Configured by Default
Your email domain should be protected by the three main email authentication mechanisms — think of them as a guest list (specifying which servers are authorised to send email from your domain), a digital seal (a signature on every email proving it has not been tampered with), and a policy (an instruction to receiving servers telling them what to do with messages that fail verification). A good provider configures all three automatically when you set up your domain, rather than leaving it as a manual task for you to figure out.
Two-Factor Authentication Enforceable for All Users
It is not enough for 2FA to be available — it must be something you can require for every account in your organisation. If you cannot enforce it, some users will not enable it, and a single unprotected account is all it takes for a breach.
Email Archiving Capability
For FCA-regulated firms, archiving is a requirement. For others, it is a strong recommendation. Your provider should offer the ability to retain a complete, searchable archive of all email communications for a defined period — typically five to seven years at minimum.
Audit Logging
Login activity logs, device connection logs, and administrative action logs should be available to you or your administrator. These logs should cover at least the most recent twelve months and ideally longer.
Data Processing Agreement Available
Under GDPR, any organisation that processes personal data on your behalf must provide a Data Processing Agreement. Your email provider is a data processor. They should have a DPA readily available — not buried in a support ticket queue, but published on their website or provided promptly upon request. The DPA should clearly state the jurisdiction where data is processed and stored.
Dedicated Infrastructure Option
For larger firms, or for practices that handle particularly sensitive data, the option to run on dedicated email infrastructure — rather than shared servers — provides an additional layer of isolation and control. This is not necessary for every firm, but it should be available as an option for those that need it.
UK-Based Support with Email Expertise
When something goes wrong — a potential breach, a compliance question, a technical issue — you need to reach someone who understands both the technology and the UK regulatory context. Support teams based overseas, or support teams that are generalist IT helpdesks rather than email specialists, may not be able to help you when it matters most.
| Requirement | Why It Matters | Who Requires It |
|---|---|---|
| UK/EU data centres | Simplifies GDPR compliance and data sovereignty | All regulated sectors |
| Encryption (transit + rest) | Protects client/patient data in transmission and storage | SRA, FCA, CQC, GDPR |
| Two-factor authentication | Prevents unauthorised access even if passwords are compromised | SRA guidance, FCA, NHS DSPT |
| Email archiving | Meets record retention obligations | FCA (MiFID II), SRA, HMRC |
| Audit logging | Supports breach investigation and regulatory inquiries | All regulated sectors |
| Professional domain email | Enables domain-level security and projects professional identity | SRA, ICAEW, FCA, CQC |
| Data Processing Agreement | Legal requirement under GDPR for all data processors | All regulated sectors |
| Dedicated infrastructure option | Additional isolation for high-sensitivity environments | Larger FCA firms, NHS trusts |
How epost.plus Meets These Requirements
Choosing an email provider for a regulated firm is not about finding the most feature-rich platform or the cheapest per-mailbox price. It is about finding a provider whose default configuration already meets your compliance obligations, so that you are not constantly patching gaps or worrying about whether you have missed something.
epost.plus Business Email is built on the Axigen mail server platform and is designed with security and compliance as the foundation, not as optional extras. Here is how it addresses the requirements outlined in this article:
- UK and EU data centres — All email data is stored in data centres located within the UK and EU. There is no ambiguity about jurisdiction, and no data is routed through or stored in third countries.
- Full email authentication by default — Every domain is configured with the complete authentication stack from day one: the guest list that authorises sending servers, the digital seal on every message, and the strictest policy that instructs recipients to reject unauthenticated messages. This is not a feature you have to request or configure — it happens automatically.
- Encryption at every level — Connections are encrypted with TLS in transit, and epost.plus goes further with MTA-STS (which forces other servers to use encryption when sending to your domain) and DANE (which pins encryption to verified certificates, preventing interception). Data at rest is stored on encrypted infrastructure.
- Two-factor authentication — Available and enforceable for all user accounts, using standard authenticator apps. Administrators can require 2FA across the entire organisation.
- ActiveSync for device management — Synchronises email, calendar, and contacts across all devices, and supports remote wipe of business data from lost or stolen devices. This is critical for regulated firms where staff may use personal phones to access email.
- Axigen-powered infrastructure — The Axigen mail server provides enterprise-grade reliability, administrative controls, and the technical foundation for archiving, retention, and audit capabilities.
- Dedicated server option — For firms that need it, dedicated business email servers provide isolated infrastructure with full administrative control.
For firms in the public sector or those working closely with government bodies, epost.plus also offers Public Administration Email — a tier designed specifically for organisations that require the highest levels of security, data sovereignty, and compliance. This is available to order through smartxhosting.uk.
epost.plus runs its strictest email protection policy by default: messages that fail authentication are rejected outright, not quarantined or delivered with a warning. Combined with MTA-STS enforcement, DANE certificate pinning, and DNSSEC, this is the same level of protection used by government email systems — and it is the default for every epost.plus domain.
You can view plans and order through smartxhosting.uk. If you have specific compliance questions or need guidance on choosing the right plan for your regulated firm, the support team can help you assess your requirements.
Frequently Asked Questions
Do I really need specialist email as a solicitor?
Yes. The Solicitors Regulation Authority expects all firms to maintain client confidentiality in electronic communications, and their published cyber security guidance specifically addresses email security. While the SRA does not name particular providers, they expect encryption for sensitive client data, access controls, audit trails, and data retention capabilities. A consumer email service such as Gmail or Yahoo Mail does not give you the controls, the data residency certainty, or the audit capabilities that the SRA expects. Using a professional email provider with UK or EU data centres, enforced encryption, and two-factor authentication is the simplest way to demonstrate compliance.
What happens if the SRA or FCA audits my email?
Both the SRA and the FCA have the power to request evidence of how your firm handles electronic communications. In practice, an audit typically examines whether you have adequate security measures in place, whether you can produce historical email records when required, and whether your data handling complies with GDPR. If you cannot demonstrate that client communications are encrypted, that access is properly controlled, and that you have a data retention policy, you risk regulatory action — which can range from a warning letter to fines or, in serious cases, suspension. The simplest way to prepare is to use an email provider that handles encryption, access control, and retention by default, and to keep a record of your provider's data processing agreement.
How long must I keep business emails?
It depends on your profession and the nature of the correspondence. Solicitors are generally advised to retain client files for a minimum of six years after the matter closes, though certain categories such as conveyancing or wills may require longer retention. Accountants must retain financial records for at least six years under HMRC rules. FCA-regulated investment firms must retain electronic communications for a minimum of five years under MiFID II. Healthcare providers must follow NHS retention schedules, which vary by record type but can extend to decades for certain patient records. In all cases, your email system must be capable of retaining and searching historical messages for the required period.
Is Gmail acceptable for a regulated firm?
Google Workspace, the paid business version of Gmail, offers encryption and some compliance features. However, there are significant concerns for UK regulated firms. Data is processed and may be stored outside the UK, which complicates GDPR compliance and data sovereignty requirements. Google's business model involves processing data for advertising and AI training purposes, which raises confidentiality questions for client communications. You also have limited control over data residency — you cannot guarantee that client emails are stored exclusively in UK or EU data centres. For many regulators, particularly the SRA and FCA, the inability to confirm data jurisdiction is a material compliance gap. A provider that guarantees UK or EU data centre storage and does not process your data for any secondary purpose is a safer choice.
What is the cheapest compliant email option for a regulated firm?
The cheapest option is not always the most economical one. A free or very low-cost email service that lacks encryption, retention, and audit capabilities may save you a few pounds per month — but a single compliance failure, regulatory fine, or data breach could cost thousands. That said, professional email with full authentication, encryption, and UK data centre hosting does not have to be expensive. Services such as epost.plus offer business email with complete security features at a fraction of the cost of enterprise platforms. The key is to look for a provider that includes the compliance essentials — encryption, 2FA, data residency, retention capability — in the standard package rather than charging extra for each one.
Do I need email archiving?
If you are in a regulated profession, the answer is almost certainly yes — at least in some form. Archiving means keeping a tamper-proof, searchable copy of all email communications for a defined retention period. For FCA-regulated firms, particularly those subject to MiFID II, email archiving is an explicit requirement. For solicitors and accountants, while there is no single rule that says the word "archiving," the combined effect of data retention requirements, client confidentiality obligations, and the duty to produce records when requested means that you need the practical capability to retrieve historical emails reliably. At minimum, your email provider should retain deleted messages for a reasonable period and offer searchable access to historical correspondence.