How should meta data that's collected as a matter of course be handled? E.g. IPs logged connecting to systems, passing through them, in security logs, quarantine reports and so forth, not to mention email addresses that are captured in such data incidentally as a matter of course on all systems all over the Internet.
Most meta data that has to do with email services does not contain personal data unless it is gathering subjects and body content. This meta data should also have data retention periods set on them for business/legal reasons (only keep for as long as you need).
To minimize your risk and ensure your compliance click here