Define and implement record retention policies
Throughout every day at every company, information is produced. Email, documents, annual reports, plans, statements, invoices, and other types of information are generated at a staggering rate. Some of the information you create and collect falls into the category of a “record.” Records are important to a company, so important that companies define policies that define explicitly how to manage them — where they must be stored, how long they must be kept and the process that must be used to destroy them.
A records policy is a framework that outlines that set of rules for managing each type of record. It includes things like procedures for handling the information, business rules, regulations that affect the record, retention schedules and more.
For this post, we want to focus on the records retention aspect of records management.
What is a retention policy
A retention policy (also called a ‘schedule’) is a key part of the lifecycle of a record. It describes how long a business needs to keep a piece of information (record), where it’s stored and how to dispose of the record when its time.
It seems very straightforward, and in many ways it is. But many organizations are challenged with setting up and managing retention policies. It’s partly about how they record this information and track it, and partly about communicating the policy with all the employees that deal with the identified record type.
Some people think it’s easier to keep everything forever. But with the growth of records, the costs related to storing those records (whether they are digital or physical) and the risks of having that information exposed to the wrong people or not stored according to official regulations, a “keep everything” policy doesn’t make sense.
It makes even less sense when you think about all the different places you can store a record if it’s not following a specific records policy. Network file shares, SharePoint, hard drives, cloud-based file shares, business applications, the list of places where you can store information in a company is unmanageable.
Companies need retention policies to control the growth of records, ensure those records are in compliance with business and industry regulations and can be found quickly in the case of litigation and legal hold.
The ability to quickly find the right information is another benefit of a comprehensive records management policy, but we’ll leave that topic to another time.
Whitepaper How to Simplify Complex Records Management in Compliance-Driven Organizations
This paper, co-authored by Flatirons, explains why traditional methods fall short and what to look for in a next-generation Records Management solution.
How to create a retention policy
Solutions like everteam.policy can help you manage your retention policies. But first, you need to define what those policies are. How do you get started?
- Identify any federal and local regulations you must adhere to. These regulations will define the type of record they apply to and how you need to treat them, including the retention policies to apply.
- Identify any internal records policies your company has defined specifically.
- Group your records into categories or classifications that match a specific regulation and a business rule.
- For each category of record, capture the following information: where the record is found, retention period – if applicable, the retention event – if applicable, the retention medium, the department/group/country the policy applies to, what group supervises compliance, any security rules, and the disposition process (delete, move to long-term archive, etc.).
You can capture all this information in a spreadsheet, but managing it from a spreadsheet is challenging. Once you have your initial retention policies defined, you can import them into a policy management solution like everteam.policy.
Now that you have your retention policies defined, you need to start mapping your records based on the appropriate policies. This is a big project in itself and requires support from other teams, such as legal and IT. As part of your mapping process, you will find there is a lot of information that you don’t need to retain, and you’ll need to decide how to deal with it (but that too is a topic for another day).
Review and revise policies regularly
Holding periodic reviews of your retention policies is important. Regulations change, new regulations come into play, businesses changes. With these changes will come adjustments to your retention policies.
But remember – you have already dealt with many records according to the rules applied. When you update a record retention policy, you don’t want to lose all the information related to how you managed retention to past records.
What you want to do is create a new version of a retention policy and apply it to records going forward. This approach gives you an audit trail that notes when a retention policy was changed, by who, what the changes were and why.
Managing multiple versions of a retention policy in a spreadsheet is a lot harder to do because you will need to manage multiple versions of your spreadsheet, communicating to policy managers when a new version is available and ensuring everyone is working from the most recent version.
A policy management solution should allow you to update your retention policies and maintain a record of past versions, as well as what records you applied those past versions.
It’s time to get started
You don’t need a policy management tool to define your retention policies. You don’t even need a spreadsheet. You could work with a piece of paper and a pen, or a Word doc.
The first important aspect of a retention policy framework is simply getting the policies identified and defined. Then you need to decide how to get them to a place where everyone can find them and understand what they are. Finally, you need a way to manage them. And that is where a policy management solution is critical.
When you are ready to think about tools to manage policies, check out everteam.policy.