Blanket retention periods that are exceedingly long (e.g. 5, 10, 20+ years), by their very nature, put constraints on organizations. Not only does the IT function need to accommodate such corporate dictates, but often the retention of such information and the corollary policies are the tail that wags the business dog. The conundrum is that without appropriately long retention policies, organizations run legal risks of not knowing what they don't know. In other words, they risk opposing counsel, the news media, the public, or other antagonists gaining access to damaging information that an organization may not know exists.
In many organizations this dynamic results in no one leader owning the retention policies. As such, the policy defaults to either a very long retention period blanketing all data (this often occurs in quasi-regulated and government sectors) or the other end of the spectrum: shred everything after 90 days (less regulated businesses such as retail).
Stakeholders must come together to 1) perform a risk assessment; 2) understand the impact of retention policies on information both as a liability and asset; 3) agree on a policy, strategy, and governance structure that protects the organization and allows for sufficient business agility.
Action Item: Organizations must periodically revisit retention policies to ensure they align not only with regulatory implications but also business imperatives. Where legacy policies are outdated and inadequate, leaders must attack the problem head on by organizing cross-functional teams involving records management, legal, IT, business units, and auditing to perform a risk/reward analysis and set cogent policies based on ever-changing business requirements.
Footnotes: