When I first started working in records management, the world looked a lot simpler. Most of our conversations about retention involved paper, files, and email. Fast forward to today, and the landscape has changed dramatically. Everywhere we turn, someone is using a new tool to communicate, and we’re faced with a dizzying array of chats, encrypted messages, video recordings, transcripts from AI tools, prompts and outputs created by generative AI, and a host of other odds and ends. The sheer volume and variety of these formats have made information governance and data retention a far more complicated endeavor than ever before.
Just five years ago, the big question was, “How long do we keep email?” That question hasn’t gone away, but email is now just one of many ways employees communicate and collaborate. Surveys show that organizations use an average of more than three different messaging apps, and employees split their time across these platforms.
Slack and Teams have become the digital hallways where conversations happen, and the line between a casual chat and a contract negotiation can be very thin. We’re also seeing a huge increase in ephemeral and encrypted messaging. Apps like Signal, WhatsApp, and Telegram are becoming common in business settings, sometimes without company knowledge or approval. Regulators are already cracking down, especially in financial services.
“The SEC has fined financial firms billions of dollars for failing to capture business communications from certain messaging apps.”
One client mapped their applications and found more than 40 collaboration and messaging tools in active use. WhatsApp groups, Zoom recordings saved in personal drives, unmanaged text messages documenting accidents on manufacturing floors, and Teams channels being used to negotiate deals. The problem wasn’t only the number of tools, but that decisions were being made in places where the organization had no visibility or retention controls.
Zoom and Teams recordings are exploding in popularity, with people wanting to record meetings and use AI tools to generate transcripts and action items. Some companies keep these recordings by default, often without realizing it, and few are asking whether these are records or how long they should be kept.
Another client once discovered that all of their HR performance review meetings were being recorded by default in Zoom. They assumed they were being deleted after a short period. IT had changed a retention setting to support leadership’s desire to keep board meetings permanently, but no one realized that this applied to every single recorded meeting. HR suddenly found themselves keeping a treasure trove of highly sensitive personal information forever. That discovery led to a full policy overhaul and some overdue discussions about what should and should not be recorded.
Generative AI prompts and outputs are a brand new form of communication that can contain sensitive information, decisions, and intellectual property. Most retention programs aren’t capturing these yet, but they should be. The problem is the volume, the fragmented formats, and the challenge of classification. Some of these communications are transient and may not last forever, but regulators and courts are already questioning how organizations manage them.
So, what do we do with all of this, and how do we develop good principles for retention? First, we need to acknowledge that the classic definition of a record still applies. If the communication documents a business activity and you have a legal or business reason to keep it, it is a record, regardless of format. It does not matter whether it came from email, Teams, Slack, Zoom, or an AI tool. If it’s just a thank you or a casual conversation, it’s not a record. The challenge is training employees to understand the difference and to manage information appropriately.
Regulators are paying close attention. The SEC has fined financial firms billions of dollars for failing to capture business communications from certain messaging apps. Privacy laws push in the opposite direction, requiring organizations to delete personal or sensitive data as soon as it’s no longer needed. Uncontrolled retention drives up costs and creates compliance risks, while deleting too soon can lead to gaps in documentation and sanctions in litigation.
The sweet spot is keeping information just long enough to meet obligations and business needs, then deleting confidently. This balance is what good retention principles are all about. For chats and messages, the line between casual and business use is fuzzy. Teams and Slack allow for separation between personal chats and business posts, and retention can be set differently for each. Texting services and apps like WhatsApp present additional challenges, as they lack enterprise-grade protection and centralized search.
Meetings and recordings are another big category. Most recordings are temporary by design, and the average size of a one-hour Teams recording is 400 megabytes. Microsoft found that 95 percent of meeting recordings were not watched after 60 days, and 99 percent were never watched again after 120 days. Auto-expiration is now the default, but organizations can set retention as low as one day or as high as never. Privacy concerns abound, especially when recordings capture faces, home environments, or minors.
Transcripts are emerging as a more defensible alternative to recordings. They are smaller, easier to classify, and more useful for discovery and auditing. The same retention principles apply: keep transcripts for meetings where decisions are made, and move them to a dedicated record-keeping system.
AI prompts and outputs are multiplying faster than email or chat. Most are not records, but some may be working files or final work product. If an output documents a business decision, it should be treated like any other record.
“If the communication documents a business activity and you have a legal or business reason to keep it, it is a record, regardless of format.”
Ultimately, good retention is about balancing legal requirements, business value, and practicality. The same principles apply across formats: keep most information for the short term, retain working versions as needed, and move records to the right system for long-term management. Communicate policies clearly, automate as much as possible, and review regularly to keep up with new tools and practices.
Most importantly, create policies that match how your employees actually work. If you prohibit text messaging but everyone uses it to report accidents at your work sites, that policy will not protect you. If employees do not understand what the rules are, they will either save everything forever or delete things too quickly. In either case, your risks grow.
Records management is not about mastering every tool, but it is a team effort. Legal, compliance, IT, and business units all have a role to play in applying consistent principles, understanding the business reality, and giving people clear guidance. With thoughtful policies, training, and automation, organizations can manage the odds and ends of modern communication and stay compliant in a rapidly changing world.
Learn more about creating a modern, compliant, and easier-to-execute records retention schedule that includes all media types. Reach out to us at info@contoural.com for more information.