Today organizations are inundated with both paper and especially electronic information. At the same time, the legal and regulatory recordkeeping environment is becoming stricter. The challenge is not only recordkeeping; companies face new and more stringent privacy rules, need to identify and protect high value and confidential information from threats, and need to reduce risk and costs during litigation. Making these challenges worse, hoarding of electronic documents by employees who are convinced that they need to save everything forever is ironically hurting the employees’ own productivity as high value information gets lost among the clutter of older and useless documents, data and their copies. Left unaddressed these problems only get worse.
Companies face both legal and regulatory recordkeeping rules requiring them to retain records for a minimum length of time and also privacy rules limiting how long personal information can be retained. It is a mistake to have a separate records retention policy and schedule and also a data retention policy as having retention in two policies can create conflicts and inconsistent retention. The best practice is to have a single policy containing both records and privacy.
What is commonly referred to as a records policy actually has two pieces: a policy and a schedule. A records policy is the “what” of the program and covers records management objectives, scope, definitions, and guidelines, including legal hold obligations and the consolidation of existing policies enterprise-wide.
A records schedule contains the specific detail on how long information should be saved, and typically is an appendix to the Policy. Some organizations name the schedule a data retention policy, which is effectively the same thing. A well-designed schedule will be compliant and defensible and will address applicable audit and legal considerations, including specific business and operational requirements. A schedule should capture records based both on legal and regulatory requirements as well as business value.
This identifies which records in the schedule contain personal information and details the business justification for retaining any personal information longer than the recordkeeping legal requirement.
An online, web-based version of the Records Retention Schedule managed in Microsoft 365, using native Power Apps functionality. The use of this existing technology eliminates the need for an additional, dedicated software product, saving substantial investment dollars. Other advantages include customized views based on group, function or role. Also provides a search function for employees to easily search the schedule for specific record types and information.
Starting or updating a records management or Information Governance program can be intricate. Approaching it as a single large project risks stalling progress. Contoural’s Assessment and Roadmap Service employs a “divide and conquer” strategy, breaking the effort into manageable steps over time. Additionally, the service identifies “quick wins” that showcase program benefits and foster support from sponsors. Early victories build momentum and buy-in throughout the process, in contrast to a single win at the end of prolonged projects.
After reviewing, developing and updating hundreds of schedules across a variety of industries and assessing their implementation, we have found compliant and easier-to-execute policies and schedules share some common attributes.
A policy should also make clear why the organization needs a records management policy and the types of records to be covered. It should also indicate whether electronic data, such as email, instant messages, and content generated from social media and collaboration tools – as well as drafts and convenience copies – are to be considered business records. The policy also needs to include the specific roles and responsibilities of the records management staff, legal department, other employees, and outside personnel who handle organizational records. The policy must also document provisions for violations of the policy.
A basic requirement for any schedule is that it should be compliant and defensible with federal, state and industry-specific, as well as country-specific, international record mandates. The schedule should include minimum retention periods, retention trigger events and descriptions of the records (paper/physical and electronic) that the organization maintains in the regular course of business.
An effective schedule identifies which information has business value and how long this information should be retained. This can include intellectual property, trade secrets, business processes and other information important to the operation of the business. A schedule can separate truly valuable business information from low-value information employees simply want to save forever.
Conflicts between privacy requirements and recordkeeping legal and regulatory rules can create non-compliance. Privacy and recordkeeping retention rules should be incorporated incorporate both into a single policy- a data retention policy/records policy and schedule. Both sets of requirements aim to detail what information needs to be saved for how long. Putting them in a single document makes it easier.
Contoural’s experienced records retention consultant offer the industry’s most advanced records policies and schedules. Contoural has worked with hundreds of companies (including 30% of Fortune 500 companies) to develop records retention schedule creation and data retention policies, that are not only compliant but also easy for employees to understand, use, and are focused on execution. Furthermore, we synchronize privacy and recordkeeping requirements to avoid conflicts.
Our records retention consultants know how to work with key stakeholders such as IT. Our records retention consultant also work with your business units to figure out what should we save and what has business value and for how long should it be saved. We do more records retention schedules than anybody else and in part because of our innovative approach.
Our easy to implement approach starts with a records retention schedule designed specifically for your needs – no out of the box records Policy Execution or records policy creation here:
Of less concern is what the document is called. Some companies call it a data retention policy; others call it a records retention schedule. It is not important. What matters is that data retention policies are records-enabled, and records retention schedules are privacy-enabled.
Meeting privacy data minimization requirements creates an additional complication on top of existing and often challenging records retention requirements. Avoid the temptation to create separate policies and go it alone. Engage other stakeholders as well as business units. Keep these policies up to date. Developing compliant, balanced approaches in modern, easier-to-execute polices may take a little more effort at the beginning, but well-crafted policies make execution much easier, reduce downstream conflicts, and reduce or avoid disposition resistance from business units and employees. It is worth the effort to do it right. Contoural has the privacy consulting experience to help your business work through this.
It is best practice that the end result should not focus exclusively on legal and regulatory requirements. Rather, these policies also need to address business need and value. Good data retention policy/records policy and schedule serve not only as legal statements, but also seek to achieve a reasonable consensus with business units and other stakeholders regarding what information needs to be maintained to run the business and what can and should be deleted (and when). Any deletion exercise depends on having this agreement. Failing to build this consensus at the beginning will force companies to revisit it every time they try and delete information.
Publishing a schedule online also provides the flexibility to publish department- and function-specific views of the schedule. These views contain records types that are relevant to a specific department, excluding record types that do not apply to the given function. Instead of having to look through an entire schedule, these narrower views allow employees to easily see in a single page or two their most relevant record types. All of this typically can be accomplished with technology that companies already have in-house.
Traditional records programs create a schedule and publish it in either paper or PDF format. Records managers themselves may enjoy having a single consolidated view of records requirement in a single document; however this appreciation typically is not shared by employees who must manually search through these long schedules to find relevant records. If the process is too cumbersome, even well-intentioned employees will quickly abandon looking up information in the schedule. Should we have country or region-specific schedules, or should we create a single global schedule?
It is often better to have a single, global schedule with local exceptions where necessary than having multiple geography-specific schedules. First, while recordkeeping requirements do vary across countries, the differences may be small and/or often the business value of retention trumps the various legal requirements. Second, record-containing emails and files flow across borders between a marketing team in the US and a development team in India, for example. While you could declare the US-based marketing team as the records custodian, does that mean the records do not fall under Indian record management policies? It quickly becomes complicated. Hence a policy with a single global retention period is arguably more compliant. Finally – and most important – it is exceedingly difficult to implement multiple policies, especially as companies often have the same content management system for multiple countries.
Note that there are some outliers. For example, China requires retention of some accounting records for 15 years, which substantially exceeds the typical 7-year retention in the US, and the 8-year retention required in several European countries. It may make sense to set the global policy for eight years with a specific local exception for China. China also requires permanent retention of some key records.
Contoural is the largest independent provider of strategic Information Governance, Privacy, and AI Governance consulting services, including records and information management, litigation readiness and control of privacy and sensitive information.
Copyright 2024. All Rights Reserved