Migrated mailbox and keeping the copy of the mailbox

I am assuming that you are going to change email service provider and you want to keep copy of your email database. Under GDPR you are allowed to process data for the data retention period as indicated inside the privacy notice and according to data retention policy. ISO 27001 does not have any requirements regarding migration of data.

If you want to make a copy of your email database for archive purposes and your privacy notice informed individuals about it, you need to make sure that the archive is correctly stored and security measures such as encryption have been taken.

You can find some information about privacy notice: Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

If you need to set a data retention policy, you can have a look to our template: 

What technical measures should be used for data retention and for deletion?

On the market, there is plenty of solutions for data retention and deletion and there is no unique answer. In selecting the measures that fit your needs, you need to consider that GDPR aims to assure integrity, availability, and confidentiality of data. Therefore, you can either store data in your local server, but server access must be secured and subjected to authentication, or you can choose to store data in the cloud, but you need to avoid shared cloud and select a solution that meets those targets.

GDPR, in fact, aims to be technologically neutral.

Encryption, antivirus, firewall, and controlled access are among the best technical measures; but, again, you need to verify if the encryption key is strong enough to protect data from unauthorized access, firewall and antivirus are updated to latest threats.

The same applies to data deletion: deleting data before the data retention period can be considered as a data breach because you were not able to guarantee integrity for all the data retention period (consider it when you set that period). On the market, there are tools that allow you to manage consent and deletion automatically, check if these tools guarantee enough security in terms of confidentiality, integrity, and availability.

Here you can find some useful information:A summary of 10 key GDPR requirements: https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/How cybersecurity solutions can help with GDPR compliance: https://advisera.com/eugdpracademy/blog/2017/11/27/how-cybersecurity-solutions-can-help-with-gdpr-compliance/Implementing 3 main accountability principles under the EU GDPR: https://advisera.com/eugdpracademy/blog/2017/09/27/implementing-3-main-accountability-principles-under-the-eu-gdpr/