Attributes of an Effective and Compliant Data Retention Policy and Schedule

When creating a data retention policy there is a temptation to simply create a list of legal requirements and call this the policy. Avoid this, as a poorly designed data retention policy creates significantly more work. Time invested creating a compliant and effective policy not only drives better compliances, but also saves energy and effort in program execution.

Creating an effective data retention policy requires more than determining the maximum retention period for personal information in each geography. Rather, an effective data retention policy synchronizes privacy and record retention requirements, justifies the retention of personal information and perhaps most important, socializes and builds a consensus across the business.

A data retention “policy” consists of two components: a shorter, overarching policy and a detailed schedule. A policy has three primary purposes: 1) it defines records and non-records covered by the data retention policy, including short-term working documents, and states that records must be kept for the duration of the retention period listed in the records retention schedule; 2) it states that once a record’s and working document’s retention period has expired, that they must be destroyed; and 3) in the event of a legal hold, the policy and retention schedule are suspended for the records under the hold.

The retention schedule is a listing of records created and maintained by the organization. A schedule lists the records that must be kept for legal, regulatory or business purposes, details which documents and data contain personal information, and provides a retention period specifying how long that record must be retained. The schedule may or may not contain citations detailing the specific legal or regulatory requirements for retaining any given record. Note the term “record” is used to describe specific content that may either have minimum or maximum retention requirements.

Attributes of an effective data retention policy include:

Address Information Across All Media – A data retention policy and schedule should reflect a media-agnostic approach) that does not focus exclusively on application information stored in databases, but address all media including files, emails and paper documents. Furthermore, the policy and schedule should not, for example, classify email as a record type, but rather recognizes email as a medium that contains both records and non-records.

Compliant with Legal and Regulatory Record Retention Requirements – The policy and schedule should reflect federal, state and industry-specific, as well as country-specific, international record retention mandates. The schedule should include minimum retention periods, retention trigger events and descriptions of the records (paper/physical and electronic) that the organization maintains in the regular course of business.

Global Policy with Local Exceptions as Necessary – Despite the wide array of privacy and recordkeeping requirements across countries and individual states, it is better to have a single, global schedule with local exceptions where necessary than having multiple geography-specific schedules. It is exceedingly difficult to implement multiple policies, especially as companies often have the same content management system for multiple countries. Note that there are some outliers. For example, China requires retention of some accounting records for 15 years, which substantially exceeds the typical 7-year retention in the US, and the 8-year retention required in several European countries. It may make sense to set the global policy for eight years with a specific local exception for China.

Reflects Business Value of Information – Some information has value to the business. This can include intellectual property, business processes, operational information, etc. Retention should be based on business value. In other words, a company can declare to save information for a period of time because it has business value even if there is no underlying regulatory requirement.

Identify Personal Information and Retention Justification – Data retention polices should detail which records contain personal information and includes a business retention justification for retaining this personal information. This is discussed in greater detail below.

Focus on “Big Bucket” Categories – Within the last decade many organizations have shifted to a “big bucket” strategy where records are grouped together and there are fewer overall retention periods. A simplified system based on broad retention categories – sometimes called “big buckets” – and a limited number of retention periods (e.g., 1 year, 5 years, 7 years, 10 years and permanent) make it easier for employees to comprehend, as well as making disposition easier to automate.

Clear and Usable – A data retention schedule must be easy to understand. The schedule must identify and be organized to make it easy for any given employee to find records in a language that is familiar to them. It is helpful to provide specific definitions of record and non-record, as well as examples that employees actually use. To improve the results, do not burden employees with descriptions of record types that they are not likely to encounter. The traditional approach is to organize the schedule from the perspective of the records manager. . Keep it simple and straightforward.

Consider the Need for Legal Holds – Companies facing or anticipating litigation or regulatory investigations have a duty to preserve that information. This duty to preserve usurps all privacy or records expiration or disposition. Polices should acknowledge this responsibility.

Socialize and Obtain Consensus with the Business – Finally, continue to socialize the policy, business value and retention requirements with business units and other key stakeholders, seeking to achieve reasonable retention periods.