Data security best practices that include an active document retention and destruction policy is critical for any business and must be considered a priority for today’s retail enterprise.
With the complexities of document management (which must address both hard copy materials as well as electronic data), what organizations keep and what they destroy must involve well-conceived document retention guidelines that are appropriately managed.
The primary focus of managing this information is based on the ongoing need to secure financial and other confidential information against theft or unintended/unauthorized release.
While this is surely a critical component of document management, companies must also consider that the more routine, day-to-day documents created by employees at all levels can also prove to be just as critical to the success or failure of the business.
Managing data security by following the appropriate document retention guidelines—as well as the appropriate destruction of company documents—is important for a variety of reasons:
- The retention of an infinite number of documents may become both expensive and impractical. The potential expenses relating to storage and management of these documents alone would be prohibitive. Organizational concerns, categorization and filing systems also provide control and systemic difficulties.
- The premature destruction of certain documents may lead to the loss of valuable information and result in organizational obstacles that can impact the operation and success of the business.
- Legal and regulatory requirements mandate the retention of certain documents for minimum periods of time, as well as the destruction of certain documents once their purpose has been fulfilled.
- The destruction or elimination of certain documents could leave the appearance of impropriety, or may otherwise lead to the eradication of documents that could support or defend the company against legal and/or civil claims.
- As it pertains to online records, it is important to consider the inevitable issue of hardware, software and media obsolescence. There will be incidents when records must either be migrated to new versions, or the old hardware/software must be retained in order to read the records. Migrating may also cause records to change or lose their format, necessitating quality control procedures to ensure all information retains its original content, context and structure.
Competent and consistently enforced document retention guidelines can reduce a company’s risk by ensuring that information is handled properly. There is more to effective document retention and control than managing physical or digital space.
Unfortunately, companies often realize the true value of proper document management when things go wrong, and previously overlooked issues take on greater significance. In particular, the increasing use and complexity of our documents, systems and databases, to include the use of emails and related correspondence, is driving an invigorated need to implement effective controls and define data retention and data protection strategies.
Developing Your Own Document Retention Guidelines
Written document retention guidelines formalize a company’s protocol for saving and discarding documents received and/or created during the course of business. The principle behind any document retention program is that only useful records should be preserved, and only for the limited period of time during which their retention is useful or required by law.
While easily stated in theory, application can be much more difficult, as it involves a well-planned risk assessment based on legal, technical and business considerations.
Creation of a sound document retention and destruction program requires knowledge about the specific workings and needs of the organization, and should be developed, implemented and enforced with due diligence and attention.
Tips for developing and maintaining a document retention and destruction program might include the following:
- A good starting point is to define what constitutes a “business record” and a means of categorization. Records are created for a variety of reasons, but regardless of the reason a record is created, there is a useful life of that record. Having a definition and a means of categorizing documents will make operational record keeping decisions easier and more efficient.
- The company’s technology (IT) department should be involved in decisions regarding the policy and methods for enforcement when those policies involve electronic or other related venues and documents.
- There should be a clear schedule identifying the minimum and maximum retention periods for all documents covered within the program.
- Numerous statutes, regulations and regulatory instruments impose record keeping requirements on retail organizations and other business entities, generally applicable to specific categories of records. Such requirements may involve what, where, how, and for how long these records must be maintained. All pertinent practices and requirements should be maintained and reviewed on a regular and consistent basis to ensure compliance.
- There should be a framework for administration of the program to include training and education, assigning monitoring responsibilities, capability assessments and a schedule for updating the program so that it reflects current legal requirements and business needs.
- Appropriate security and privacy controls must be established to ensure the protection of sensitive/confidential documents. Every company is bound by contract, law or practice to treat certain information as confidential, and every effort should be made to maintain that trust at all times. This would include security of the storage medium as well as the establishment of stringent procedures and protections when such documents are destroyed. protection and control should be of paramount concern up to and including document destruction.
- The program should be documented, published and appropriately communicated to enhance understanding, limit confusion and increase efficiencies.
- Clear accountability should be established for enforcement of the program. Involved employees should be properly educated as to the importance of the policies and held accountable for following the established guidelines. Routine (scheduled and unscheduled) audits should be conducted to ensure compliance.
- There may be instances when the suspension of records destruction is necessary, such as: imminent or current litigation, receipt of subpoenas, government inquiries, audits, or other types of related events that might warrant such action. When such records may be needed beyond the defined retention period, a methodology should be in place which immediately notifies all appropriate personnel of these actions, to include legal counsel, records managers, department managers, IT managers, and operations and loss prevention executives when necessary and appropriate.
By capitalizing on opportunities to enhance our knowledge and education, we are making an investment in our own future. To learn more about data security best practices and the certification process, visit losspreventionfoundation.org.
This post was originally published in 2016 and was updated August 13, 2018.