A defensible and annotated record retention schedule lets companies know how long they must keep records, when they can destroy records and the legal bases for these actions. This post provides an aerial view of some of the reasons why virtually every regulated organization should adopt and update a defensible record retention schedule.
Why You Need a Records Retention Schedule
Reason 1 – The Law Says So
Many laws specifically require companies to keep a record retention schedule – one well known example is the Sarbanes-Oxley (SOX) Act of 2002, but there are many others (and in many countries).
In addition, in a recent (2019) well-publicized enforcement action, In re InfoTrax Sys., the Federal Trade Commission cited a business’s ineffective record retention practices as a basis for a data security enforcement action, noting that the business’s failure “to have a systematic process for inventorying and deleting consumers’ personal information stored on InfoTrax’s network that is no longer necessary,” as one of the unreasonable security practices that led to multiple and repeated security breaches.
Reason 2 – Data Privacy
Most data protection laws including the European Union General Data Protection Regulation GDPR, the California Privacy Rights Act (CPRA), which was passed in 2020 and is scheduled to come into effect on January 1, 2023, and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the privacy laws of numerous other developed countries require parties that process personal data to destroy the data once it is no longer needed for the processing purpose.
A common exception to this general rule is data that are required to be kept in order to satisfy the entity’s legal obligations – including, for example, legal retention requirements. So, for example, a bank that is required to keep specified customer account records for 5 years may be prohibited from keeping that data for 8 years because of the obligation to destroy unneeded personal data – and a bank that keeps such data for the longer period may be in breach of its customer privacy-law obligations.
Reason 3 – Litigation
Imagine that you are involved in a lawsuit with a customer. Then, imagine that you have a series of ten-year old un-destroyed contracts and statements of work that potentially implicate your company or create a potential liability for your managers. The applicable law states that you must only keep contracts of this type for 5 years. However, because you did not have an informed document retention policy that instructed you to destroy these documents after 5 years (or, possibly, 6 years), opposing counsel discovered information that created a legal liability. Having an effective record retention policy could have avoided this consequence.
Reason 4 – Internal Efficiency
Records are constantly being created – and the more unnecessary records that you retain, the harder it will be to find the records that you need. In addition, you may incur additional legal or business risk by not being able to locate records when you need them or if you rely on the “wrong” records.
What Does a Record Retention Schedule do for you?
A well formulated and properly implemented record retention schedule allows you to:
- Optimize their internal resource utilization by limiting the cost and noise associated with unnecessary data retention;
- Allow auditors to see that you are, in fact, complying with your regulatory requirements;
- Allow you to find the records that you need and avoid retaining records that you either do not need or that create potential liability;
- Foster an internal culture of transparency and a sensitivity to compliance;
- Reduce risks associated with litigation and administrative proceedings.
An Additional Benefit of Retention Schedule Implementation – ROT Removal
It is widely known that most businesses store significant amounts of redundant obsolete and trivial data, otherwise known as ROT. ROT data is commonly estimated to comprise up to 80% of the data stored on most company servers leading to increased storage costs as well as heightened risks of hacking and decreased efficiency. Commonly, automated ROT elimination through the deployment of software that identifies and classifies unstructured data is performed in tandem with the implementation of a retention schedule, and is generally considered a necessary part of the “clean-up” process. And, often, retention schedule implementation provides the necessary trigger for businesses seeking to eliminate ROT data.
Key Points
Businesses, and particularly regulated businesses have both a regulatory obligation and a risk-minimization need to develop a structured, defensible and usable records retention schedule. The implementation of such a schedule has the potential to minimize risk, increase efficiency and drive down the costs associated with storing either too much or the wrong kind of data. In addition, because the development and implementation of a records retention schedule is often performed in tandem with a company’s ROT identification and removal efforts, this effort has the potential to significantly lower data storage costs and to free companies’ servers from the presence of unneeded and expensive data on an ongoing basis.