Record Retention Tips from Jason Priebe, Seyfarth Shaw
C4CM sat down with Jason Priebe, partner at Seyfarth Shaw, to discuss record retention policies for organizations of all sizes. Jason works out of the Chicago office, and has 15 years experience helping companies of all sizes putting together data privacy, information governance, and record retention programs.
C4CM: Jason, thank you so much for giving us some time to talk about record retention with us today. It seems like it should be a simple subject, but I’m sure, like everything in business, it’s more complicated than it seems at first glance.
Jason Priebe: My pleasure! I’m happy to be here.
C4CM: Let’s start with the basics. What is record retention for a business? Do I, as an employee, need to keep my emails forever?
Jason Priebe: Partly. Emails certainly come first to mind in the 21st century, given the way modern businesses operate, when you think of information and documents you need to do your job. It’s tricky, however, because not every email is a record. But, some are.
Generally speaking, one of the biggest challenges of record retention is identifying what rises to the level of a record. An email that talks about is anyone available to go to lunch today is going to be much different the company for record retention value than one that has a signed contract attached to it, or one that’s closing a deal.
The challenge, for any record retention project, is to classify different record types, and then figure out where they sit, with respect to the company’s retention strategy. This includes compliance with the law, as there are certain legal requirements for certain types of records, specifying that they have to be kept for a certain amount of time, and perhaps some have to be kept in a certain way or location, due to data security.
You also get rid of what you don’t need, not only because of risks to the company, of keeping records longer than you need to, but it’s also a cost.
C4CM: I knew it, it’s more complicated than it seemed! So tell me, what do companies really get wrong with regards to record retention?
Jason Priebe: The simplest go–to answer is that some companies think that if we just keep everything forever then we’ll never get in trouble. Most of the time now, people have realized that that is an unsustainable model. Data is increasing on an exponential scale.
In electronic discovery, I help companies respond to and investigate internal investigation and litigation, which impacts large amounts of information. I’ll just tell you, from my own experience, that for a typical user in a typical company, the volume of email that he or she may have in a one year period of time has more than quadrupled over the past three years, which is astonishing.
The problem is that the more information you have, the more it costs you in an investigation situation. Not just to pay the lawyers, but also to pay for the technology to sift through, search, identify and classify information. All that is based upon volume, and the more you have, the more you have to pay.
C4CM: Say you came across a company with no record retention policy or procedures in place. What would be the first order of business?
Jason Priebe: In terms of getting a record retention plan, the first three steps I would take would be:
- Get the right people around the table,
- Assess the current state, and
- Create the record retention schedule.
The very first step would be to organize a team of stakeholders to get the right people around the table and make sure everyone was on board, that this is a real issue and serious for the company. Next, I’d work with those individuals to evaluate current state of records, including technology capabilities that may already be in place to organize, identify and categorize records, whether they are emails, file shares, or even regular old paper.
Then we could create the record retention schedule, which is the first step in terms of documentation or standardizing a record retention program. That schedule is really the engine that makes a record retention policy work. It’s a classification of all the record types that the company creates and stores on a routine basis, as well as a description and examples that make sense to rank and file employees. This way they can find records they create in the schedule, and know what to do with them.
C4CM: Would you include anything else in the schedule, beyond the type of record?
Jason Priebe: Yes, definitely. The most important part of the schedule is the retention period that tells employees how long we’re going to keep this record, and no longer. The retention periods are based on legal requirements for the jurisdiction that you operate in, and also business requirements. The legal requirement is a minimum, so for instance if a record has a legal minimum requirement of 3 years, but you really need it for some other report for 4, then it’s appropriate for your retention schedule to reflect 4 years, instead of the legal minimum.
C4CM: Thank you so much, Jason. This has been extremely interesting and informative. Any parting words for our audience?
Jason Priebe: What most companies are realizing is that this isn’t just a challenge that faces people in finance, compliance or HR. This is something that everybody needs, and it needs to be developed across the organization. It’s in the best interest of knowledge management in terms of figuring out what we have within an organization. Take for example when someone retires, you need to know what important information they had, and what needs to be passed on to the successor for that role.
It’s important for the organization, just to make people’s work more efficient so we can locate things, save money and avoid risk. And it’s important for information security and data privacy compliance, which, like it or not, is becoming a bigger part of the operations of companies both large and small in the US.
Interested in hearing more from Jason? Hear him present on Employee Records Retention: Save it? Scan it? Shred it? Delete it? for C4CM.