There are federal, industry and international standards for retention of data.
Many corporations underestimate the risks associated with not having an efficient policy for retaining and disposing of corporate documents. Part of the overall process of records management, an effective document retention policy can provide an edge to companies that want to stay ahead of competitors in an era where information has become as important as currency.
Why should companies review and update their document retention policies now? Changes in privacy laws that carry costly fines and penalties are one major factor. You should no longer believe it’s acceptable to hold on to data forever.
‘Regulations are coming online that require you to deal with this,’ warns Marty Provin, executive vice president of records and privacy management services provider Jordan Lawrence. ‘You may have lawsuits that involve records retention as well,’ he adds, as up to 60 percent of litigation costs go to document review. Streamlining company procedures to locate and destroy documents in compliance with the law will be helpful in e-discovery and will keep companies from being hit with sanctions by the courts.
Additionally, experts suggest that significant cost savings could result if companies make proper adjustments to their document retention policies. As the average privacy breach costs $7.2 million, policies that prevent such expensive mishaps are critical. Plus, if a company adjusts its retention policies so that it reduces the total amount of documents it stores, this can reap further savings. As it costs an estimated $5 to produce and review each email, $4 per year to store a box of paper and $2-$20 to store each gigabyte of electronic data, limiting these expenses is financially prudent.
Laws to look out for
In the United States, companies must adhere to federal and industry-specific requirements for the retention of documents. In addition, there are 49 states that have their own privacy laws, and those laws are often founded on residency issues. ‘If your employee or customer is a resident of one of these states, that means you must comply with these laws,’ says Provin.
Some companies may face the challenge of adhering to Texas House Bill 300, which deals with the storage or transmission of ‘protected health information’ in electronic form. Any entity that collects, analyzes, stores or transmits health information must now meet privacy rule requirements that are stricter than those laid down by the Health Insurance Portability and Accountability Act and must provide customized employee training regarding the maintenance and protection of the protected health information of Texas residents. This will obviously become an additional cost burden to companies.
Another challenge will be Mexico’s ‘Federal law on the protection of personal data in the possession of private parties’, which was implemented in January and is part of a trend whereby international jurisdictions are setting rules for the handling of personal data. Companies must comply with these rules or face major fines. These new laws involve retention limitations which specify a maximum period of time that companies are allowed to keep personal data before having to dispose of it. In the case of the Mexican law, if you keep records longer than the period prescribed, you could be liable for a fine of up to $1.5 million.
While it seems unfair, expect more of this type of legislation in the near future. The rise in data breaches that compromise the personal data of employees and customers is at the heart of this trend.
Creating an effective policy
When it comes to creating an effective records retention policy, Provin says you should start by talking to the heads of your business units. ‘They understand all the important questions of how the information relates to the business – who they share the info with, why they need it and what they use it for to help the business grow,’ he explains.
Talking to your business heads will allow you to identify the different areas of information you need to save. You’ll have to ‘profile’ each of the different types of records, carefully making note of the company’s retention needs, privacy concerns, the location of the data, how the data moves within your organization, and the computer software and other applications that the documents are stored on or accessed with.
Your top business people should also be able to identify all business representatives that might use each of the different types of documents, and can help you get a better understanding of other content that the company has and may need to keep for business and legal reasons.
Once you’ve had those conversations, talk with your head of compliance about the proper use of email in your industry. Then bring all parties together to have an open conversation about all the risks associated with retaining and eliminating each document type. But keep in mind that the new rule for document retention is that ‘an organization should only keep employee and customer personal data for a reasonable amount of time – then it should be gotten rid of.’
Other key areas Provin advises considering when updating records retention policies include:
Know your records. What type of records does your company have on file, and where are they? Create a ‘records inventory’ and begin tracking how those records are created and the volume you may have to deal with in a given year or critical business cycle.
Understand your retention requirements. Many documents have rules that determine how long you can keep them or when they must be destroyed. These requirements may differ between industries, so make sure you are aware of the regulations and are in compliance. Also be aware of your own internal requirements for retaining documents. If your employees need to keep information to do their jobs, or the records are needed to support certain business operations, it may be in your best interests to retain documents longer. Your legal department may also have reasons why it may be better to eliminate certain documents, like email, on a regular schedule.
Determine the importance of the information. Determine how sensitive the information in the documents you have is. Documents that contain intellectual property, personal information and information that is material to the business must be handled with greater care and may need to be held for longer.
Select the best medium to store the information. What medium is best for storing the information, and how long are you keeping it? Make sure you have back-up copies of the information in a secured location in case of system failure.
Provin says that using this process should help companies come up with a retention policy that fits their corporate needs. He emphasizes that companies should aim to ‘come up with rules that are simple, have trigger events that start the retention clock for the data, and provide an explicit policy of what to do and what not to do with that data.’