Mark Diamond (firstname.lastname@example.org) is the Founder of Contoural, Inc., in Los Altos, CA.
Today organizations are inundated with paper and electronic information, with emails and other types of data that are overwhelming data storage systems. At the same time, the legal and regulatory recordkeeping environment is becoming stricter, and both global and regional privacy requirements are mounting. Most organizations today have records management policies and processes to govern document and data retention and disposition, but in many cases, these policies are poorly applied to electronic information. This compliance gap between policies and records implementation is driving compliance risks and increasing costs. It’s time to rethink the traditional records retention policy and schedule and create a more modern, compliant, and easier-to-execute policy.
Information has shifted from paper to digital media
According to the Association of Records Managers and Administrators (ARMA), more than 90% of all records today are created or received in electronic format. Traditional records retention schedules were designed around manual processes for the retention and disposition of paper records. Their implementation consisted of sorting paper documents into offsite storage boxes. Electronic information, however, is different. It is more voluminous, stored differently, shared differently, and nearly everyone is likely to be involved in classifying it as a record. It is clear that how the schedule is used (and by whom) is changing.
Paper-centric schedules tend to be long and complex. This complexity worked when it was someone’s full-time job to sort paper. It does not work when records, to some extent, need to be classified and handled by nearly everyone in the organization. Traditional schedules that have thousands of record types across many dozens of pages are just not followed.
We have seen that one of the largest contributing factors of poor records management for electronic information has its root cause in a poor records retention schedule design. These traditional schedules have been confusing and hard to follow:
They are outdated with an emphasis on paper records management.
They focus only on records with legal or regulatory requirements, not on records that have business value.
They were created without consideration of business needs.
They are longer — some have thousands of lines for every single record in the organization.
They have a heavy emphasis on citations (citations are necessary for legal, but they should not be the primary focus of a retention schedule).
Finally, the traditional view was that longer and more detailed schedules were somehow more compliant and would better stand up to the scrutiny of courts and regulators. The case law during the past ten years has told an opposite story. Courts and regulators have come down on companies — not for how detailed their policies were or were not, but rather for their failure to execute them. Courts are much less interested in long, detailed schedules than they are in how companies are following them.
Lack of an effective schedule increases risks and costs
These practices need not only be compliant with legal and regulatory recordkeeping requirements, but their implementation — or lack thereof — impacts a number of other compliance regimes, legal processes, and business practices. For example, the effectiveness of a company’s records retention policy and schedule sometimes only comes to light during litigation. During the discovery process, companies often find in painful detail how much they are over-retaining information, especially electronic documents, such as files and emails. This over-retention drives up costs and risks of discovery. Worse, any gap between what a company said it was going to do, as stated in its records policy and schedule, and what it actually is doing can be exploited by opponents in litigation who claim that if the company is under-retaining any given record type, certainly this must be due to spoliation. Conversely, if a company is over-retaining, opponents’ counsel may argue that they must have a de facto “save everything” policy. They press for discovery to be expanded, because the company must have more relevant documents somewhere. Early on companies find themselves on the defensive, and this can set the tone for the entire lawsuit.
Moreover, many organizations are seeing their records management practices affect their recordkeeping programs. The General Data Protection Regulation and the California Consumer Privacy Act allow retention of business records, but also discourage retention of non-records containing sensitive information. Unstructured data linter files share desktops, and this ongoing accumulation makes controlling and managing privacy — and other sensitive information — both expensive and difficult.
It’s time to rethink records retention schedules.