Organizations small and large are responsible for managing the lifecycle of the records and information they produce and receive through business transactions from their creation to their destruction. With the almost unfathomable amount of data and information that is produced on a daily basis, as well as the new technologies and types of records that are now commonplace, organizations that have not reviewed and revised their retention policies for the modern workforce could be putting their companies at risk.

In Part One of our blog, we discussed the who and what of an efficient records retention strategy. Discover the where, when, why and how below.


Where are your records stored?

During your records inventory, you’ll need to identify all your records as well as where they are located. For some information, the records may exist in several locations, in a variety of formats and even in multiple pieces of software. When conducting your records assessment, make sure to identify all storage locations and tools, including:

  • Digital Records Management Systems
  • On-site Storage Facilities
  • Offsite Records Centers
  • Secure Off-site Storage Vaults
  • Data Centers
  • Network Servers
  • Backup Servers
  • Backup Media
  • Enterprise Content Management Systems
  • Email, Messaging and Collaboration Servers
  • Laptops and BYOD Devices
  • Other Software Platforms Including HRIS/HCM, ERP Systems, etc.

As you complete your internal audit, look for records that are duplicated and stored in multiple locations, as well as how efficiently your records can be accessed when needed. If all of your vital information is securely stored off-site but is difficult to access as-needed, a digital solution can help.

4. WHEN?

When do you keep your records and when do you destroy them?

Now we’re really getting into the essence of retention and destruction schedules. Once you know what information your company has, you need to identify each record or group of records’ specific retention period. Retention periods will vary depending on a variety of things, including:

  • Legal and Regulatory Requirements
  • Industry Specific Requirements
  • Taxation and Financial Reporting Needs
  • Internal Administrative Needs
  • Historical Requirements / Value
  • Company Organizational Culture
  • Litigation Holds

Think back to when you organized your information into separate categories. Some documents that are created within your organization will fall into the non-records bucket, however, you’ll still want to determine an appropriate retention period for information that may be useful or contain confidential data that could put your business at risk. Emails, for instance, may need to be discarded at least every thirty days or, depending on the subject matter, may need to be retained so that they are available for discovery and support in the event of legal inquiry and challenge.

For each information category, identify the required retention periods and enforce a strict retention schedule that adheres to it. Set up routine destruction services for each retention schedule so that each record can be securely shredded or destroyed when it reaches the end of its lifecycle.

When it comes to enforcing the retention and destruction of all your documents in an efficient and compliant manner, automation can help. Automated retention schedules minimize the unnecessary risks associated with expired records and free up your team for higher priority tasks. With automation, the tracking and destruction of your records is done for you, and new rules and updates to existing regulations can be automatically implemented to your information to ensure compliance and eliminate the need for excess storage space on-site. Approval stops can be added to the workflows to ensure a decision point is inserted prior to automatic destruction if that is preferred while still realizing most of the benefits of automation.

5. WHY?

Why are you updating your records retention policy?

Your information is one of your business’ greatest assets, but it can also be your downfall when not managed properly. A strategic retention and destruction policy protects your information, your customers and your business and makes your company more efficient at the same time. Governance is increasingly important in today’s environment and sound policy around records and information is good common sense.

6. HOW?

How will you implement your new retention strategy successfully?

By following the process and steps laid out in this document you will be well on your way. Building a team of records managers, department coordinators and experts that can evaluate, design and implement a strategy that encompasses the records and information of your entire organization is the first step. Once a strategy is implemented, clear and consistent training will also be needed to ensure all team members understand how different records should be created, stored and discarded.

Ongoing maintenance is vital to the success of your retention strategy. Regular monitoring and troubleshooting will allow you to identify any issues early on and make updates as needed.

If you’re going to automate your retention and destruction schedules, make sure the technology you invest in can adapt to your unique needs. Your retention schedule will not fit into a cookie cutter design. It must be customized to meet your organization’s specific requirements and adaptable so that you can adjust to the always changing and ever-expanding rules and regulations of information protection and data privacy.

In Conclusion

Even if you already have a retention schedule in place, if you haven’t reviewed and implemented changes that reflect the ever-changing data landscape, it’s time. Companies that don’t update their policies to reflect new regulations and emerging technology could face strict government enforcement actions, costly lawsuits, and devastating data breaches. Besides changes to the regulatory environment, keeping up with all the new systems and software as well as new technology-driven data growth and data types should be a critical part of your risk management strategy.

Luckily, you don’t have to do it alone. Choosing an experienced partner to help you develop a clear strategy and automate your retention schedule will help ensure that all your needs are met, and your organization is always compliant.