An ongoing and frequent request is to assist clients with record retention guidelines and migration from storing massive amounts of paper records to an electronic system. How to do this correctly cannot be fully encapsulated in a blog post, but here are a few thoughts to consider when tackling this cumbersome process.
There are very specific federal and state laws that apply to record retention. Most of them are very old and out of date, but they are still on the books. Without addressing the retention issues of a litigation hold and eDiscovery (which are complicated), developing a basic record retention program is still challenging, and because the risk of data in general, more and more companies are revisiting their record retention programs. This is a good idea.
One of the most challenging parts of developing a record retention program is getting started. Here is a rough outline of how to get started and things to consider when embarking on developing your record retention program or when trying to figure out what to scan and shred.
- Determine which state and federal laws and regulations apply to your company’s records (some of these laws are specific to certain industries).
- Map the data required by laws and regulations to be retained and concentrate on that data first.
- Determine how long laws and regulations require that these records need to be retained.
- Develop a record retention schedule for the different types of records that need to be retained by laws and regulations.
- Determine what records can be destroyed and shred them or delete them from the electronic system (making sure none of them are subject to litigation holds or eDiscovery Orders).
- If you scan records that need to be retained into your system, consider access controls to sensitive data or personal information to only authorized employees.
- Consider encryption technology (encryption at rest) after migrating from paper to electronic storage.
- Map vendors who may have access to the electronic documents and put appropriate contracts in place with them.
- Assign business owners to the data that is subject to the record retention program so the schedule will be followed.
- Stick to the schedule.
- Review and revise the program on an annual basis.
Storing unnecessary data is risky, so tackling record retention is a basic part of your risk management program. Tackling the risk with baby steps makes the process easier.