Here’s a riddle for you: How much investment does the average organization need to make to update a US-based organization’s records retention schedule every year?
The answer is…
…It depends.
The reason: creating and maintaining a records retention schedule is becoming more complex, with privacy laws that are frequently in conflict with retention requirements.
Navigating that paradox means it’s more important than ever to have a vetted documented records retention schedule that you can justify the retention or destruction of any particular records.
This post will give a brief overview of document retention policy best practices, retention schedules, the current complexities in updating them, and provide a solution for streamlining the retention schedule review process.
While this may seem like going back to basics, the 2023 ARMA IG Maturity Index Report highlighted that only 20.5% of organizations surveyed are meeting more than just basic requirements for their processes. So, we’ll start with a brief definition and a review.
A records retention schedule is a policy that defines the length of time and disposition guidelines for both paper and electronic records.
Record retention best practices dictate that a defensible retention schedule should contain at least the following:
Whether your organization is looking to create a retention schedule from scratch or updating an existing one, your efforts will be focused on researching the laws and regulations your organization is subject to. That means understanding the following questions:
You’ll notice that three of those four questions are not static answers—they will continue to change and evolve over time.
Creating and updating a retention schedule is like competing in a sport where the rules change constantly. To put this in perspective, Access’ software solution Virgo™ contains retention policies for more than 200 jurisdictions worldwide and contains over 200k citations… but continues to grow and change by the day.
Therein lies the challenges that many organizations are faced with – keeping up with change and having the resources to act when required.
The current focus on privacy and the expansion of privacy laws across the globe has made maintaining or updating a retention schedule more complex than ever.
Likewise, organizations need a new degree of sophistication to comply with retention and disposition laws. The potential for litigation, discovery, investigations, and audits demands defensibility. The stakes are high when it comes to compliance. You can’t just pay lip service to document retention best practices—you have to follow through and be able to back them up.
This is why organizations need a retention schedule that can be referenced in case they need to justify why a record was (or wasn’t) destroyed.
According to an Access survey of information security, compliance, and privacy professionals across 50 of the most respected companies headquartered in the U.S., over-retention (not early destruction) of information is a top concern.
It takes an enormous amount of time, effort, and energy to understand what requirements an organization is subject to.
Access’ T’Don Marquis observed during a recent webinar on retention schedule annual reviews, “most of our US based customers are subject to 8,000 to 20,000 laws and regulations. That’s across retention, privacy, statutes of limitation, other types of requirements. Our global customers have to keep track of 30,000 or more regulations, or up to and over 100,000 depending on how many countries they have operations in.”
Manually tracking these requirements requires an enormous amount of revenue and time investment to accomplish.
Finding the most efficient way to perform these updates is key. T’Don Marquis continued by saying, “I don’t know about you, but 30,000 of anything or even 20,000 of anything is quite a lot. It’s hard to track, especially for a lot of newcomers in the industry or even experts that maybe are a one person team.”
This is where investing in a retention schedule automation solution, like Access’ Virgo software, can save your organization a significant amount of time and resources.
If you’re looking to leverage a technology solution that will enable you to create, maintain, or update a retention schedule, then it should be able to do the following:
Building a schedule and following record retention best practices is just the beginning. Maintaining compliance, with constant changes occurring, is another.
Refreshing a retention schedule in the United States alone is a substantial lift because new laws are passed daily. Are these changes a typo fix, a clarification, or a significant change? When you reach a certain scale, it’s cost-prohibitive for a team to track all of this.
During the same webinar on retention schedule annual reviews, Rebecca McIntyre, Security Specialist, Principal Data Protection & Privacy at American Electric Power, explained why they chose the Virgo solution over other options:
Rebecca McIntyre on Aligning Retention Schedules and Choosing Virgo
Learn from the entire conversation on conducting an annual retention schedule review by watching the on-demand recording of Retention Schedule Revamp: Techniques for Improved Privacy, Compliance, and Efficiency.
And, to learn more about Virgo, our cloud-based legal solution that informs your privacy and retention policies by providing continuously updated legal research in 220+ jurisdictions worldwide, request a free 30-minute consultation and demo with our privacy, policy, and security experts.
Share