Records Retention Schedules [w/ Best Practices]

A records retention schedule, or simply a retention schedule, is a policy that explains how long an organization needs to hold onto certain documents. Although legislative and regulatory compliance are the primary drivers behind organizations creating and implementing records retention schedules, they can also support information management initiatives and help businesses stay organized.

It’s also important to note that records retention schedules exist not just for paper-based records, but electronic records, including emails, text messages, social media posts and direct messages and more.

There’s really no one rule when it comes to creating records retention schedules. How long you’re required to retain records depends on a few different factors, including:

• What industry your organization operates in
• Where your organization is based
• What types of records you have on file
• What your business needs are

Let’s discuss each of these factors individually.

What Industry Your Organization Operates in

Certain industries are subject to regulation, and certain regulations come with specific records retention requirements. For example, in the financial services industry, the Securities and Exchange Commission (SEC) Rule 17a-4 requires broker-dealers to retain and index electronic correspondences, including email, with immediate access for a period of two years and with non-immediate access for at least six years.

Firms that fail to comply with SEC Rule 17a-4 are subject to investigation and penalization by the Financial Industry Regulatory Authority (more commonly known as FINRA). We’ll talk about other industry-specific regulations a little later in this article.

Where Your Organization Is Based

As any realtor would say, it’s all about “location, location, location.” This is as true for records retention as it is for real estate. Where your organization is based has a direct impact on how long you’re required to retain documents because different countries (and even states) have their own specific requirements.

For example, under Japanese tax law, businesses are required to retain accounting records for up to seven years; the Australian government requires businesses to keep most records for a period of five years; and under Denmark’s Danish Companies Act, organizations are required to retain company documents for no less than five years.

Where your clients are based matters, too. The General Data Protection Regulation (GDPR), which is designed to protect the privacy of citizens of the European Union (EU) and the greater European Economic Area (EEA), is perhaps the most well-known example of this.

Although GDPR does not stipulate specific retention periods, it does require any organization that processes the personal data of EU and EEA citizens — known as “data subjects” — to hold onto that information for “no longer than is necessary.” GDPR also requires organizations to clearly outline and communicate how long they intend to retain data subjects’ information, which makes defining a records retention schedule an absolute must.

What Types of Records You Have on File

Certain records, such as tax documents (and supporting documents), employment records, sales receipts, expense reports and insurance policies, take precedence over others when it comes to records retention. You may not need to retain a company-wide email announcing the date of your annual holiday party, but you definitely need to retain any emails pertaining to your legal, financial or human resources departments.

In some cases, these high-priority records come with their own set of retention requirements. For example, the Internal Revenue Service requires organizations to retain employment tax records for a minimum of four years; the Occupational Health and Safety Administration requires businesses to retain records on workplace injuries for five years; and the Equal Employment Opportunity Commission requires employers to retain all personnel or employment records for one year.

What Your Business Needs Are

Last, but certainly not least, your business needs will dictate how long you hold onto certain documents. From client communications to project-specific documentation and deliverables, there’s a wide variety of records you’ll want to create custom retention schedules for.

In addition to SEC Rule 17a-4 and GDPR, some of the most important regulations with general or specific records retention schedule requirements include:

• Sarbanes-Oxley (SOX) Act: Passed into U.S. federal law in 2002, SOX created financial record keeping and reporting requirements for corporations to protect investors from fraudulent activity. Those requirements include a five-year retention period for customer invoices, a seven-year retention period for tax returns and receivable or payable ledgers and an indefinite retention period for payroll records and bank statements.
• Gramm-Leach-Bliley Act (GLBA): GLBA, which became law in 1999, requires financial institutions to be transparent with consumers about their information-sharing practices and to make an additional effort to secure consumer data. Although GLBA does not stipulate a specific retention period, the general rule of thumb is to retain all financial records for a period of seven years.
• Health Information Portability and Accountability Act (HIPAA): Although HIPAA — the regulation designed to protect patients’ private data against fraud and theft — does not set specific retention periods of medical records, it does specify how long healthcare organizations must retain HIPAA-related documents. According to CFR § 164.316, healthcare organizations (known as “Covered Entities”) are required to retain HIPAA compliance documentation for a minimum of six years from when it was created or, in the event of a policy, from when it was last in effect.
• Family Educational Rights and Privacy Act (FERPA): FERPA is a data security regulation that applies specifically to educational institutions and agencies. FERPA does not specify retention periods. However, it does require schools to produce and present a student’s educational records to their parent or legal guardian upon request, which means academic institutions would do well to retain these records for at least a few years after a student has graduated or is no longer enrolled.
• Freedom of Information Act (FOIA): Similar to FERPA and GLBA, FOIA — which gives members of the public the right to request records from federal agencies — does not have any hard-and-fast records retention requirements. With that said, FOIA does require federal agencies to establish records management programs and “identify records that should be preserved.” As a result, any federal agency’s record management program should include records retention schedules for different paper and electronic documents.

For organizations that are based and operate in the U.S., which state you’re located in will have a direct impact on any records retention schedules you create. The reason for this is that many states have records retention requirements, which are legally enforced.

Here are state-by-state records retention laws:

Ready to create your very own records retention schedule? First thing’s first: We recommend downloading our free data retention policy plan template, which can serve as a blueprint for your own records retention schedule.

Then, once you’re ready, follow these best practices:

• Understand your requirements. With the help of your legal team, familiarize yourself with your organization’s legal and regulatory obligations and how they might influence your records retention schedule. You’ll also want to take stock of your business’ needs with help from key stakeholders across various departments, including human resources, finance, sales, marketing and IT.
• Optimize for simplicity. Your records retention schedules don’t need to be overly complicated and full of legal jargon. In order to ensure that your employees understand and adhere to records retention schedules, it’s important that you use simple, easy-to-understand language when drafting policies and procedures.
• Make sure your bases are completely covered. Your records retention schedule should not only explain how long to hold onto various documents, but also detail how and where they should be stored, how they should be disposed of when the time comes and who is responsible for enforcing the schedule.
• Don’t take a “one-size-fits-all” approach. Trying to create one, overarching records retention schedule will only increase your risk of noncompliance. You’ll likely find that, in order to meet various internal and external requirements, you need to create multiple records retention schedules.
• Invest in an archiving solution. Archiving solutions are especially useful for electronic communications and files because they can automatically capture data and securely store it within a centralized repository. Certain archiving solutions even enable you to define custom records retention schedules and automate the retention process, saving you and your employees time and effort.
• Back up your data. From systems failures to power outages, disasters can and do happen, and they can cause you to lose access to business-critical information. Investing in a solution that routinely backs up your data is integral to any records management strategy and can reduce your risk of noncompliance.

For more information on how archiving can support records retention, contact the team at Intradyn today.