Best Practices for Creating a Defensible Records Retention Schedule

Best Practices for Creating a Defensible Records Retention Schedule

Melissa Kolodziej

Here’s a riddle for you: How much investment does the average organization need to make in order to update a US-based organization’s records retention schedule every year? 

The answer is… 

                          …It depends. 

The reason: creating and maintaining a records retention schedule is becoming more complex, with privacy laws that are frequently in conflict with retention requirements. 

Navigating that paradox means it’s more important than ever to have a vetted documented records retention schedule that you can justify retention or destruction of any particular records. 

This post will give a brief overview of retention schedules, the current complexities in updating them, and how current solutions can enable a clear return on investment. 

What does a Records Retention Schedule Contain? 

While this may seem like going back to basics, a 2021 ARMA IG Maturity Index Report highlighted that only 17.4% of organizations surveyed are meeting more than just basic requirements for their processes. Likewise, during our webinar on records retention schedules, only 50% thought that they had a good RRS in place. 

So we’ll start with a brief definition and a review. 

At the core of any defensible records and information management program is a vetted retention schedule. It covers the length of time, the location, and the form in which a record is kept.  

A comprehensive retention schedule should contain at least the following:  

  • An official record owner – In other words, the name of the office, department or business unit where the record(s) in question are created or stored. 
  • Records inventory – A records inventory provides a comprehensive description of all the records your organization or department creates, collects, stores and manages. 
  • Disposal action – The disposal action outlines what happens to records once they reach the end of the document lifecycle. Many documents will need to be destroyed or shredded. However, other records may need to be transferred, reviewed at a later date or stored indefinitely offsite. 
  • Retention period – A retention period is the minimum length of time that a record or group of records needs to be retained before the disposal action is undertaken. Often, this period is stated in terms of months or years, but may also be contingent upon other events, like the termination of a contract or once a project is completed. 
  • Disposal trigger event – Most often, this will be when the document reaches the end of its retention period but could vary depending on the record type, or whether the document is being held for litigation or auditing. 

Best Practices for Creating or Updating a Retention Schedule 

Whether your organization is looking to create a retention schedule from scratch or updating an existing one, there really isn’t much of a difference in terms of effort required. 

Access’ T’Don Marquis has observed that “many Access clients that initially came to us weren’t necessarily creating schedules from scratch but taking their current work and supplementing it with best practices, which can take as long as starting with nothing.” 

The first step of tackling the creation or revision of a retention schedule is research. That means understanding the following questions: 

  • What existing laws are we subject to? 
  • What new laws recently passed that we will be beholden to in the future?  
  • What jurisdictional requirements by country/by state are we subject to? 
  • What new laws are being considered that we could need to incorporate? 

You’ll notice that three of those four questions are not static answers—they will continue to change and evolve over time.  

Creating a retention schedule is competing in a sport where the rules change constantly. To put this in perspective, Access’ software solution Virgo’s database contains retention policies for 140 countries and contains over 200k citations… but continues to grow and change by the day. 

Therein lies the challenges that many organizations are faced with – keeping up with change and having the resources to act when required.  

Challenges and Complexities with Records Retention Schedules  

The current focus on privacy and expansion of privacy laws across the globe has made maintaining or updating a retention schedule more complex than ever.  

Likewise, there is a new degree of sophistication needed for organizations to comply with retention and disposition laws. The potential for litigations, discovery, investigations, and audits demand defensibility. The stakes are high when it comes to compliance. You can’t just pay lip service to retention – you have to follow through and be able to back it up. 

This is why organizations need a retention schedule that can be referenced in case they need to justify why a record was (or wasn’t) destroyed. 

Here’s a simple example: 

In the U.S., the record of termination of an employee must be retained for 40 years. At the same time, it contains conflicting PII which must be destroyed within a much shorter period depending on the record type. 

With so many requirements that are often in conflict, it usually results in keeping a record too long rather than destroying it too early. According to a survey of information security, compliance, and privacy professionals across 50 of the most respected companies headquartered in the U.S., over-retention (not early destruction) of information is a top concern. 

Building a Business Case for Investing in a Retention Schedule Solution 

It takes an enormous amount of time, effort, and energy to understand what requirements an organization is subject to. 

“Along with so many regulatory changes over many decades,” Access’ T’Don Marquis observed during a recent presentation, “we’re working with Access clients that are subject to a substantial amount of laws. For instance, domestic U.S. companies are subject to 8,000 to 15,000 requirements, while global clients are subject to more than 30,000 laws. We even have some complex global enterprises that are subject to 100,000 requirements.”  

Manually tracking these requirements requires an enormous amount of revenue and time investment to accomplish. 

Finding the most efficient way to perform these updates is key because, in the end, it boils down to a simple direct correlation, or as T’Don Marquis puts it, “The more time it takes, the more expensive it gets.”  

Making the business case for investing in a retention schedule automation solution like Access’ Virgo comes down to a few key points. 

Qualities of an effective records retention scheduling software 

If you’re looking to leverage a technology solution that will enable you to create, maintain, or update a retention schedule, then it should be able to do the following:  

  • Provide a single source of truth for privacy and retention 
  • Allow your organization to meet the best practice of updating annually 
  • Be legally defensible in the case of e-discovery, policy audits, and defensible destruction 
  • Inventory the information that needs protection 
  • Include privacy requirements 
  • Be agnostic to what medium the record is in  

Conclusion 

Building a schedule or records retention program is just the beginning. Maintaining compliance, with constant changes occurring, is another. 

Refreshing a retention schedule in the United States alone is a substantial lift because new laws are passed daily. As mentioned on the recent live Access webinar, “We ran a calculation in our Virgo database and there are approximately 200 updates to retention requirements per day.” 

Are these changes a typo fix, a clarification, or a significant change? When you reach a certain scale, it’s cost prohibitive for a team to track all of this. 

For more detailed information on how a records retention solution can deliver impressive ROI, be sure to check out our recent webinar presented with ARMA: OMG, Yes! Retention Management ROI is Attainable. 

Watch Now