Document Retention and Destruction Policy Essentials for SMBs

Document Retention and Destruction Policy Essentials for SMBs

Melanie Boop, Content Marketing Specialist

Document Retention and Destruction Policy Essentials for SMBs

You might be surprised to learn that small and medium-sized businesses are prime targets for cyberattacks. About 57 percent of small business owners think they aren’t a target for cybercriminals, when in reality, small businesses represent 43 percent of all data breaches, according to a Verizon Data Breach Investigations Report. While large corporations often seem to rebound from breaches and cyberattacks, small businesses aren’t always as fortunate. The majority of small businesses that suffer a cyberattack—60 percent—go out of business within six months of the attack.

Thankfully, SMBs can minimize the risk and consequences of a data breach with a “less is more” approach when it comes to records and information management. Continue reading to learn about the risks associated with over-retaining documents, how to determine the retention period of common business records, and what to do with documents that no longer need to be retained.

Document Retention: The Risk of Letting Your Documents Pile Up

Organizations that save documents past their retention end date increase the risk of a data breach and non-compliance with government and industry regulations, potentially resulting in penalties, fines, and legal issues. In addition, over-retention poses a variety of other risks to businesses, such as:

  1. Increased Storage Costs: Storing unnecessary records consumes valuable physical or digital storage space, leading to increased storage costs for the organization. This includes expenses related to maintaining physical storage space or purchasing additional digital storage capacity.
  2. Compromised Data Integrity: As records age, their integrity and reliability may deteriorate. Outdated information can become inaccurate, incomplete, or obsolete, undermining the organization’s ability to make informed decisions based on reliable data.
  3. Loss of Efficiency: Employees may waste time searching through a large volume of outdated documents, leading to inefficiencies and a lack of productivity.
  4. Legal Risks: Retaining records past their retention period may expose the organization to legal risks in case of litigation or regulatory audits. Failure to adhere to record retention requirements can weaken the organization’s defense and result in adverse legal outcomes.
  5. Reputational Damage: A data breach or non-compliance incident resulting from retaining records past their retention period can damage the organization’s reputation and erode trust among customers, stakeholders, and partners.

The Essential SMB Document Retention and Destruction Policy

Starting with a strategic record and information management (RIM) policy can help small businesses create, manage, and destroy documents more securely and efficiently.

While there are some documents your small business may need to securely store for an indefinite period, most documents shouldn’t be held on to for too long. Here are some common record types your business is likely to generate and recommendations for determining how long they should be retained:

Old Tax Records

The IRS has set some standard retention recommendations for small business tax records. However, the exact length of time you’ll need to keep a document may vary from industry to industry, as well as from one record type to another. This can range anywhere from 2 to 7 years, and sometimes longer.

When defining your document retention buckets, be sure to consider the following record types:

  • Business income tax returns and supporting documents
  • Employee tax records
  • Business asset records

Make a habit of cleaning out expired paperwork before adding tax records from the current year. The key is developing a document retention and destruction policy that you can successfully implement. Not only will regular cleaning improve security, but you will also benefit from reclaimed usable space within your office.

Old Records of Employment

Records of employment contain sensitive data that you’re expected to protect, including social security numbers, email addresses, and health information. Companies that keep employee records past their retention date risk a breach of personally identifiable information (PII).

For most human resource files, employers should retain the records for as long as an employee is working at the company and up to seven years after they have left or are terminated. For individuals who applied for a job but were never hired, information should generally be kept for a minimum of three years. These records include:

  • Applications, resumes, and verification documents
  • Payroll and benefits selections
  • Performance management reports
  • Training and development records
  • Certifications, licenses, and credentials
  • Retirement and termination documents

If you have questions about any of your old employment documents, including any employee benefit plans, speak with your attorney or information governance professional. Once you have confirmed which files you need to keep, organize them before destroying the rest.

Old Emails, Texts, and Other Digital Communication

Digital communication tends to reign supreme these days. This means that employees, customers, managers, and even investors communicate more often via email, social media, and messaging apps. However, sensitive information should not be shared this way, as these communication channels are not secure.

Taking a proactive approach helps you stop a security breach before it begins. Consider investing in a secure digital records and information management (RIM) platform that will allow you to share files with ease and greater peace of mind. Once you invest in a RIM platform, it’s important to convert all files that were once shared via email and securely destroy all irrelevant or outdated information.

How to Dispose of Expired Records Securely

Once you’ve identified all the documentation that your organization no longer needs, it’s time to dispose of the information. A digital RIM solution should be able to securely destroy all electronic communication records that reach the end of their retention period. A RIM partner can help you securely shred your outdated physical records, computer hard drives, and electronic media while complying with government regulations, including HIPAA, FACTA, FERPA, GLBA, and the Federal Privacy Act.

Get Started

Establishing a document retention and destruction policy, understanding the retention periods for common business records, and securely disposing of expired documents are critical steps for SMBs to safeguard their data and ensure regulatory compliance. By taking proactive measures and leveraging records and information management solutions, SMBs can minimize risks, enhance security, and maintain business continuity.

Access can help you create and maintain a comprehensive records retention schedule that addresses the laws and regulations, as well as the record types and series, applicable to your business. Contact us today to get started.

Related Resources

View all resources
The Disastrous Effects of a Data Breach
The Disastrous Effects of a Data Breach
Blog | 2 min read
From Compliance to Accessibility: 6 Reasons to Perform Document Digitization
From Compliance to Accessibility: 6 Reasons to Perform Document Digitization
Blog | 4 min read
Going Paperless? Legal Guidelines for Retaining Electronic Personnel Files
Going Paperless? Legal Guidelines for Retaining Electronic Personnel Files
Blog | 5 min read
The Five W’s (and Sometimes How) of Efficient Records Retention: Part Two
Blog | 3 min read