Creating and maintaining your record retention policy is one of those tasks that takes a little time upfront but can save a lot of time and confusion later on. It’s essentially a way of making sure everyone in your organization is on the same page about how to handle all your sensitive information, both paper documents and digital records. Having a record retention policy in place gives everyone a clear overview of the steps they’re expected to take to protect the business’s data, from the time that new records are created up until they’re shredded by data destruction services or otherwise destroyed.
In some places and in some industries, data compliance laws require organizations to retain documents for specific periods. But even businesses that don’t deal with health or financial records should have basic record retention policies in place, if only so employees don’t have to waste time chasing down answers every time they wonder whether they should keep or delete some sensitive file. Having a clear and consistent approach to record retention and management may also be greatly useful if you’re ever involved in any legal action or audit that requires you to turn over specific records.
What’s in Your Record Retention Policy?
A record retention policy doesn’t have to be a long or complex document. It only needs to include a few core elements. The first essential element of a retention policy is a list of record types and the minimum length of time that each type should be kept.
Some things like financial statements and tax documents should be kept permanently, but many business documents like payroll records and invoices can be discarded after three to seven years. Make sure to also address digital records by clarifying that things like emails and PDFs are subject to the same retention timelines as paper documents. (Consult with whoever manages your IT to make sure your policy accurately reflects the way your business manages and retains digital information.)
You may find sample record retention policies online for guidance if you’re not subject to any industry-specific data compliance laws that might affect the specific timelines in your policy. It’s always best to check with your legal counsel to make sure you’re not only aware of any data compliance rules that do apply to you, but that you haven’t overlooked anything that could expose you to liability.
How Data Destruction Services Fit In
“Record retention and destruction policy” might really be a more accurate name for this document. Your policy must address the proper procedures for getting rid of records once your business no longer needs to keep them.
Holding onto old paper and digital records for too long just takes up storage space, and creates clutter that could make it harder to locate the documents you really do still need. Once records outlive their usefulness (per the timelines in your policy), they should be securely destroyed. Address data destruction best practices in your policy so data compliance and data security aren’t compromised when employees get rid of things.
Again, data destruction doesn’t need to be a long or complicated part of your record retention policy. The key elements you may want to address in this section of your policy include:
- The department or title of the person who oversees data destruction issues in your organization.
- Information about the length of time different document types should be kept.
- Information about how obsolete paper documents should be destroyed (shredded by data destruction services).
- Information about how obsolete data-storing devices like hard drives should be destroyed (again, ideally these devices should be shredded by data destruction services).
- Information about how frequently email and other digital records are deleted from your systems (with guidance from whoever handles your IT).
- An acknowledgement that no records will be destroyed if they’re related to any ongoing legal action or audit (with guidance from your legal counsel).
Once your record retention policy is complete, including a section on data destruction, make sure every single person in your organization gets a copy. Even remote workers should be trained on your retention policy so everyone who might have access to your business’s records is clear about best practices for protecting your sensitive data.
Northeast Data Destruction provides data destruction services that allow our clients to meet their data compliance obligations, and protect their employees’ and customers’ sensitive information. We provide secure pickup services and shredding in our NAID AAA-certified facility. If you have any questions about how to address data destruction within your records retention policy, I’m happy to help. Contact me today!