Recently, a coalition of attorneys general from the District of Columbia, 47 states, and five U.S. territories entered into a settlement agreement with one of the most prominent management consulting firms in the world related to its role in performing consulting services and destroying documents related to the work performed on behalf of various opioid manufacturers. As part of this settlement – and, groundbreaking, from an information governance perspective, the firm agreed to adopt a strict document retention plan and code of ethics.

A defensible and annotated record retention schedule lets companies know how long they must keep records, when they can destroy records and the legal bases for these actions. This post provides an aerial view of some of the reasons why virtually every regulated organization should adopt and update a defensible record retention schedule.

Why you need a record retention schedule

Reason 1 – The Law Says So

Many laws specifically require companies to keep a record retention schedule – one well known example is the Sarbanes-Oxley (SOX) Act of 2002, but there are many others (and in many countries).

Reason 2 – Data Privacy

Most data protection laws including the GDPR require parties that process personal data to destroy the data once it is no longer needed for the processing purpose. A common exception to this general rule is data that are required to be kept to satisfy the entity’s legal obligations – including, for example, legal retention requirements. So, for example, a bank that is required to keep specified customer account records for 5 years may be prohibited from keeping that data for 8 years because of the obligation to destroy unneeded personal data – and a bank that keeps such data for the longer period may be in breach of its customer privacy-law obligations.

Reason 3 – Litigation

Imagine that you are involved in a lawsuit with a customer. Then, imagine that you have a series of ten-year old un-destroyed contracts and statements of work that potentially implicate your company or create a potential liability for your managers. The applicable law states that you must only keep contracts of this type for 5 years. However, because you did not have an informed document retention policy that instructed you to destroy these documents after 5 years (or, possibly, 6 years), opposing counsel discovered information that created a legal liability. Having an effective record retention policy could have avoided this consequence.

Reason 4 – Internal Efficiency

Records are constantly being created – and the more unnecessary records that you retain, the harder it will be to find the records that you need. In addition, you may incur additional legal or business risk by not being able to locate records when you need them or if you rely on the “wrong” records.

What Does a Record Retention Schedule do for you?

A well formulated and properly implemented record retention schedule allows you to:

• Optimize their internal resource utilization by limiting the cost and noise associated with unnecessary data retention;

• Allow auditors to see that you are, in fact, complying with your regulatory requirements;

• Allow you to find the records that you need and avoid retaining records that you either do not need or that create potential liability;

• Foster an internal culture of transparency and a sensitivity to compliance;

• Reduce risks associated with litigation and administrative proceedings.

We invite you to contact us to discuss how we can help you formulate a retention schedule that meets your needs.

#retentionschedule #informationgovernance #compliance