Contoural - Records Retention & Data Retention Policy Services

Records Retention Policy and Schedule/Data Retention Policy Services

Contoural is the leader in creating modern, compliant and easier to execute data retention policies/records retention schedules. Contoural’s schedules help organizations meet legal and regulatory requirements, personal information disposition rules as well as business needs:

Top Three Records Retention Policy and Schedule Resources

Essential Record And Data Retention Policy Questions

Contoural’s Approach for Records Retention Policy and Schedule/Data Retention Policy Creation and Update Services

Today organizations are inundated with both paper and especially electronic information. At the same time, the legal and regulatory recordkeeping environment is becoming stricter. The challenge is not only recordkeeping; companies face new and more stringent privacy rules, need to identify and protect high value and confidential information from threats, and need to reduce risk and costs during litigation. Making these challenges worse, hoarding of electronic documents by employees who are convinced that they need to save everything forever is ironically hurting the employees’ own productivity as high value information gets lost among the clutter of older and useless documents, data and their copies. Left unaddressed these problems only get worse.

Records Retention Schedule vs. Privacy Data Retention Policy

Companies face both legal and regulatory recordkeeping rules requiring them to retain records for a minimum length of time and also privacy rules limiting how long personal information can be retained. It is a mistake to have a separate records retention policy and schedule and also a data retention policy as having retention in two policies can create conflicts and inconsistent retention. The best practice is to have a single policy containing both records and privacy.

Records Retention Policies and Schedules/Data Retention Policy Deliverables and Options
Compliant Records Retention Policy

What is commonly referred to as a records policy actually has two pieces: a policy and a schedule. A records policy is the “what” of the program and covers records management objectives, scope, definitions, and guidelines, including legal hold obligations and the consolidation of existing policies enterprise-wide.

Optional Information Types Inventory
Before records can be classified, a baseline inventory of the types of data and documents held by the organization needs to be developed. This is called an Information Types Inventory (ITI) and is a working list of record and information types, including departmental inputs on business requirements and document examples. Using a combination of existing documentation and in-person interviews with business functions across the enterprise, record and information types (discrete elements of information that need to be managed and protected) can be collected and confirmed. The inventory process includes identifying (or validating and enhancing existing lists of) information types (including any existing schedule), identifying process outputs, and collecting record type examples during interview sessions.
Records Retention Schedule/Data Retention Policy

A records schedule contains the specific detail on how long information should be saved, and typically is an appendix to the Policy.  Some organizations name the schedule a data retention policy, which is effectively the same thing. A well-designed schedule will be compliant and defensible and will address applicable audit and legal considerations, including specific business and operational requirements.  A schedule should capture records based both on legal and regulatory requirements as well as business value.

Legal and Regulatory Record Keeping
Also avaliable is a detailed listing of legal and regulatory requirements for records listed in the schedule.
Personal Information Legitimate Business Need

This identifies which records in the schedule contain personal information and details the business justification for retaining any personal information longer than the recordkeeping legal requirement.

Microsoft 365 Records Retention Schedule PowerApp

An online, web-based version of the Records Retention Schedule managed in Microsoft 365, using native Power Apps functionality. The use of this existing technology eliminates the need for an additional, dedicated software product, saving substantial investment dollars. Other advantages include customized views based on group, function or role. Also provides a search function for employees to easily search the schedule for specific record types and information.

Conquer Approach with Wins along the Way to Avoid Getting Stuck

Starting or updating a records management or Information Governance program can be intricate. Approaching it as a single large project risks stalling progress. Contoural’s Assessment and Roadmap Service employs a “divide and conquer” strategy, breaking the effort into manageable steps over time. Additionally, the service identifies “quick wins” that showcase program benefits and foster support from sponsors. Early victories build momentum and buy-in throughout the process, in contrast to a single win at the end of prolonged projects.

What Makes a Good Data Retention Policy/Records Retention Policy and Schedule?

After reviewing, developing and updating hundreds of schedules across a variety of industries and assessing their implementation, we have found compliant and easier-to-execute policies and schedules share some common attributes.

Defensible Policy

A policy should also make clear why the organization needs a records management policy and the types of records to be covered.  It should also indicate whether electronic data, such as email, instant messages, and content generated from social media and collaboration tools – as well as drafts and convenience copies – are to be considered business records.  The policy also needs to include the specific roles and responsibilities of the records management staff, legal department, other employees, and outside personnel who handle organizational records.  The policy must also document provisions for violations of the policy.

Defines Legal and Regulatory Recordkeeping Requirements

A basic requirement for any schedule is that it should be compliant and defensible with federal, state and industry-specific, as well as country-specific, international record mandates. The schedule should include minimum retention periods, retention trigger events and descriptions of the records (paper/physical and electronic) that the organization maintains in the regular course of business.

Defines Records with Business Value

An effective schedule identifies which information has business value and how long this information should be retained. This can include intellectual property, trade secrets, business processes and other information important to the operation of the business. A schedule can separate truly valuable business information from low-value information employees simply want to save forever.

Both Typical and Uncommon Records Identified
A schedule should include all the records across the organization. Companies often try to take short-cuts by copying from industry templates or sample schedules that purport to include all records a company in that industry should have. Most schedules easily capture “typical” records such as payroll and human resources. Companies should also identify non-traditional, uncommon or even unique record types. Often these uncommon record types end up becoming the most important types. These records are best uncovered by interviews. These types of schedules really do your organization a disservice because even though you may be in a similar industry, your organization has unique qualities that other companies in your industry may not share. Also, these template schedules tend to undervalue business need.
Privacy Requirements Synchronized with Recordkeeping Rules

Conflicts between privacy requirements and recordkeeping legal and regulatory rules can create non-compliance. Privacy and recordkeeping retention rules should be incorporated incorporate both into a single policy- a data retention policy/records policy and schedule. Both sets of requirements aim to detail what information needs to be saved for how long. Putting them in a single document makes it easier.

Records identified across all media
A schedule should reflect a media-agnostic approach that does not, for example, classify email as a record type, but rather recognizes email as a medium that contains both records and non-records. Today, many records – some exclusively – exist in newer media such as email, files and even social media. A more mature schedule includes all media types and will help change the mindset that your schedule only applies to paper records.
Clarity in a Policy and Schedule
Record retention policies and schedules need to be clear and prescriptive about what is and is not a record. Avoid using confusing acronyms. Spell out event-based triggers. Offer only a few choices of retention periods. Ensure that the schedule considers business value so that employees save documents in the appropriate repositories rather than in underground archives.
The Schedule Represents a Consensus on What to Save and Not Save
Looking to combat ongoing accumulation of older files, emails and paper records, many organizations look towards their records policies and schedules as a mechanism to defensibly delete unneeded documents and data. Employees, in Legal and IT’s view, have a bad habit of wanting to save everything forever. There is a fear that any discussion with the business units will result in their demands to save everything. The temptation is to create the schedule without input from the business. Our experience over the years has demonstrated that the most successful disposition efforts – getting rid of 70% or 80% of unneeded files, for example – are more likely to occur when business units and departments are included on policy discussions and a consensus is reached. Effective schedules seek to build a consensus on what to save and what not to save. Stakeholders, business units and employees must agree that the schedule represents the appropriate retention and destruction of company information and that it reflects business value.
The Schedule is Easily Usable
A records retention schedule must be easy to understand. The schedule must identify and be organized to make it easy for any given employee to find records in a language that is familiar to them. It is helpful to provide specific definitions of record and non-record, as well as examples that employees actually use. To improve the results, do not burden employees with descriptions of record types that they are not likely to encounter. The traditional approach is to organize the schedule from the perspective of the records manager. A more modern approach is to organize the schedule based on business function or role, allowing it to be quick and accessible. Use a departmental or level-schedule or specific file plan (a subset of the schedule) to communicate the categories and which documents need to be saved in them.
Integrates with Other Compliance Frameworks
The legal and regulatory requirements around records retention are only one type of compliance regime impacting documents and data. Other regimes include privacy, eDiscovery, information security and intellectual property. As such, a schedule, as well as a records retention program, should not sit as an island, but rather should be consistent and integrate with these other compliance regimes. A well-designed schedule should be a useful tool in all these functions. The data classification and privacy components of your IG program should leverage the schedule to understand what types of records exist, if they contain confidential information, Personally Identifiable Information (PII) or Intellectual Property (IP) that needs to be protected. Share the effort – many compliance hands make less work.
Can Be Easily Maintained
A schedule is a living document that must be periodically reviewed and updated. New record types are created, old record types become obsolete and legal citations change all the time – not to mention new recordkeeping regulations that come into play. Contoural recommends that schedules be refreshed every 12 to 18 months. Companies should then update their processes and training to reflect any changes in there fresh. Updates should include:
Contoural’s Approach to Creating Modern, Compliant and Easier to Execute Data Retention Policies and Schedules

Contoural’s experienced records retention consultant offer the industry’s most advanced records policies and schedules. Contoural has worked with hundreds of companies (including 30% of Fortune 500 companies) to develop records retention schedule creation and data retention policies, that are not only compliant but also easy for employees to understand, use, and are focused on execution. Furthermore, we synchronize privacy and recordkeeping requirements to avoid conflicts.

Our records retention consultants know how to work with key stakeholders such as IT. Our records retention consultant also work with your business units to figure out what should we save and what has business value and for how long should it be saved. We do more records retention schedules than anybody else and in part because of our innovative approach.

Our easy to implement approach starts with a records retention schedule designed specifically for your needs – no out of the box records Policy Execution or records policy creation here:

Comprehensive
Contoural’s records retention schedule creation incorporate all types of records across all media. Our data collection surfaces all relevant records, not just the traditional or obvious ones.
Integrated
We consider the need for integration into your overall Information Governance program. A well-designed records retention schedule should be a useful tool when used in conjunction with data classification, privacy, security, litigation readiness, and employee collaboration.
Customized
Simply taking a generic, industry-generated records policy Development or records retention schedule or a using simple survey doesn’t work. Our experience allows us to create a customized records Program Development and records retention schedule Development that fits your organization’s risk appetite, litigation profile, and company culture.
Captures Business Value
Effective Information Governance Consultants not only capture legal and regulatory requirements but also business need and business value.
Open Format
Contoural records retention schedules are provided in a variety of open, flexible and customized formats including worksheets, access databases or content management systems.

Of less concern is what the document is called. Some companies call it a data retention policy; others call it a records retention schedule. It is not important. What matters is that data retention policies are records-enabled, and records retention schedules are privacy-enabled.

Meeting privacy data minimization requirements creates an additional complication on top of existing and often challenging records retention requirements. Avoid the temptation to create separate policies and go it alone. Engage other stakeholders as well as business units. Keep these policies up to date. Developing compliant, balanced approaches in modern, easier-to-execute polices may take a little more effort at the beginning, but well-crafted policies make execution much easier, reduce downstream conflicts, and reduce or avoid disposition resistance from business units and employees. It is worth the effort to do it right. Contoural has the privacy consulting experience to help your business work through this.

It is best practice that the end result should not focus exclusively on legal and regulatory requirements. Rather, these policies also need to address business need and value. Good data retention policy/records policy and schedule serve not only as legal statements, but also seek to achieve a reasonable consensus with business units and other stakeholders regarding what information needs to be maintained to run the business and what can and should be deleted (and when). Any deletion exercise depends on having this agreement. Failing to build this consensus at the beginning will force companies to revisit it every time they try and delete information.

Automatically Publishing Department or Role-specific Views

Publishing a schedule online also provides the flexibility to publish department- and function-specific views of the schedule. These views contain records types that are relevant to a specific department, excluding record types that do not apply to the given function. Instead of having to look through an entire schedule, these narrower views allow employees to easily see in a single page or two their most relevant record types. All of this typically can be accomplished with technology that companies already have in-house.

Moving Your Schedule Online and Making It Searchable

Traditional records programs create a schedule and publish it in either paper or PDF format. Records managers themselves may enjoy having a single consolidated view of records requirement in a single document; however this appreciation typically is not shared by employees who must manually search through these long schedules to find relevant records. If the process is too cumbersome, even well-intentioned employees will quickly abandon looking up information in the schedule. Should we have country or region-specific schedules, or should we create a single global schedule?

It is often better to have a single, global schedule with local exceptions where necessary than having multiple geography-specific schedules. First, while recordkeeping requirements do vary across countries, the differences may be small and/or often the business value of retention trumps the various legal requirements. Second, record-containing emails and files flow across borders between a marketing team in the US and a development team in India, for example. While you could declare the US-based marketing team as the records custodian, does that mean the records do not fall under Indian record management policies? It quickly becomes complicated. Hence a policy with a single global retention period is arguably more compliant. Finally – and most important – it is exceedingly difficult to implement multiple policies, especially as companies often have the same content management system for multiple countries.

Note that there are some outliers. For example, China requires retention of some accounting records for 15 years, which substantially exceeds the typical 7-year retention in the US, and the 8-year retention required in several European countries. It may make sense to set the global policy for eight years with a specific local exception for China. China also requires permanent retention of some key records.

Do We Have to Start Globally, or Can We Start in a Single Area Such as the US or Europe?
Many companies with most of their operations in one country find it easiest to develop a baseline schedule in the US, for example, and then update their schedule to include different countries. In some cases, the global corporate retention policy may be adjusted to meet a slightly longer requirement in another market – e.g., customs records must be retained for 5 years under US laws, but Canada requires 6 years – to enable consistent systems and procedures. The US and EU countries typically have the strictest retention requirements, so these make good baseline areas.
A smarter approach is to publish the schedule online using the native capabilities of systems already in house, making it web accessible and searchable. Employees can quickly login, and search for a record type. This is especially useful if the schedule contains sample record types, as the employee can then search for the relevant sample record to identify the record category. Publishing online also ensures that employees are always accessing the latest and most current schedule.