Organisations of all sizes can be weighed down by the volume of records that they create or gather both in paper and electronic formats. How does your company deal with this mountain of paper and electronic records?
How long should your company retain and archive such records when considering the countless number of complex national and international record retention requirements and other government agency standards?
A blanket indefinite retention and storage policy related to all of your company’s paper and electronic records is impractical and could still fall foul of data minimisation requirements of data privacy laws , costly and not the answer!
In contrast, an effective record management and retention policy will help to answer the above practical questions because such a detailed policy will define a company’s legal and compliance recordkeeping requirements. In addition, the policy should outline a system by which a litigation hold can override certain record retention requirements if the litigation hold requires a longer retention period, as well as when a company’s records may be destroyed following expiration of the applicable retention periods.
Scope and Application of a Company’s Record Management and Retention Policy
The scope of a company’s record management and retention policy should apply to all records of the company, regardless of the format that such records are created or stored. Each business unit and all of the company’s employees and officers should be required to adhere to the policy. Data awareness programs play an important part in an organisations data privacy strategy. The terms of the policy should be followed consistently and reevaluated on a periodic basis by management, the length of which should be identified for in the policy.
Retention Schedule in a Company’s Record Management and Retention Policy
Taking into account the global spread of operations of organisations there is no single law or regulation that establishes an identical record retention period with which a company must comply. Instead, the number of laws and regulations requiring a company to retain certain documents is increasing, along with the penalties a company may face for failing to follow best practices in their record retention management.
Therefore, a well planned record retention schedule should be included in a company’s policy that addresses each type or category of data created by a company in the course of its business and indicates the associated time period that these records are required to be retained.
Key components of a Record Management and Retention Policy
The policy should provide, at a minimum, the following:
- Types of records covered by the policy
- Specified procedures related to maintenance of each category of records created or obtained
- Record retention instructions, retention time periods and storage procedures
- Timeframe for when the policy should be reviewed and evaluated
- Steps that a company will take to ensure compliance with the policy and specified consequences for violations
Organisations should also have a system in place in which they identify the types or categories of records that are subject to a specific retention period. This identification system will provide guidance to the company as to when these records may be destroyed once the requisite retention period has passed. The policy should also provide clear record disposal and destruction guidelines that the company and/or its third-party contractors will follow.
The Importance of Having a Record Management and Retention Policy and Next Steps for Your Company
The most significant takeaway here for organisations is that they have a written record management and retention policy, and that their employees, officers and applicable third parties are following this policy consistently and effectively.
If your company does not have such a policy in place,a shrewd decision would be to engage proficient advisors to assist in creating a written record management and retention policy and putting appropriate protocols in place to ensure compliance with national or global requirements.
Relentless Privacy and Compliance Services is uniquely situated to provide policy advice and services in this area as its Data Security & Privacy Team has vast experience in assisting companies of all sizes with creating and updating their record management and retention policies, as well as creating frameworks by which companies can manage their types of records based on the applicable retention periods.