The importance of implementing an effective and sustainable business records management protocol cannot be overstated when it comes to remaining compliant with legal retention requirements set out in pertinent data protection, tax, and employment statutes. As an added bonus, it also cuts back on expenses and mitigates the risk of retaining unnecessary data. For small business owners, there are several unanticipated scenarios where you will be required to provide business records—whether that be responding to an Equal Employment Opportunity Commission (EEOC) complaint or undergoing an IRS audit. That is why it is essential to create and maintain a document retention policy. To assist New York small business owners start crafting their own document retention policy, here’s a closer look at some key terms associated with the process as well as a useful checklist to help track progress.
Understanding Records Retention
Document retention is the process by which records needed for ongoing business operations are identified and maintained. An organizational document retention protocol lays out guidelines for the review, safe storage and periodic disposal of unnecessary records.
First things first: what exactly is a “Record”? Records are any written or recorded documents, communications, or similar materials. They can exist in a plethora of varying formats, including electronic, paper, book facsimile, film, videotape, audiotape, and more. As technology continues to advance, it is important to note that the type and scope of records small businesses will need to pay attention to will only further expand.
More specifically, “Business Records” are those that are created or received during the course of business operations which are required for a work-related or legal purpose. These types of records accomplish the following tasks:
- Record a business event, operation, or transaction
- Identify entities or individuals involved in a business operation
- Substantiate data pertaining to business-related event, operation, or transaction
- Required for other valid legal, business, or compliance use
Records that are not needed to accomplish the above tasks and do not fall under an applicable legal retention requirement are no longer considered business records and should be promptly deleted. Examples of records that should be deleted as soon as possible include:
- Routine organizational-wide, department-wide or team-wide notices
- Unsolicited resumes received by personnel not assigned to human resources
- Any correspondence serving an immediate or short-term function that has since expired
- Recorded voicemails, emails, texts, chats, and instant messages
- Personal files, emails or other documents stored on corporate software
Small business owners should only retain business records for as long as mandated by any applicable statutes or regulations. When it comes to drafts and duplicates of files, they should be properly disposed of once they are replaced by subsequent drafts or versions. Employees should only retain duplicates of business records for as long as they may need them for a verifiable business purpose.
The majority of business records are maintained on an electronic database, with physical copies typically being considered duplicates that do not have to be retained. Note, however, that prior to retaining any contracts or similar binding agreements exclusively in an electronic copy, it must be ensured that the electronic copy: (1) Presents an accurate reflection of the information established in the business record, and (2) Are preserved in a file format that can be retained and reproduced reliably for later use over the course of any applicable retention period.
As a small business owner, you may be the one that oversees all business record creation and retention protocol. However, if your organization consists of several employees or even departments, then it is important to designate a ‘Record Custodian’ that is an individual or team tasked with responsibly retaining and disposing all business records in a secure and timely manner.
The Record Custodian also enforces internal business record creation protocol—ensuring that all communications associated with your company’s business are accurately drafted and are in no way misleading, intentionally false, fraudulent or otherwise in violation of any applicable statutes, regulations or organizational policies. Because these communications are either created or received in the course or conduct of busines operations, the company has ownership over them. Accordingly, no employee possesses any personal or proprietary right over any business record even if they created it as part of their occupational responsibilities.
Creating a Document Retention Policy
Crafting and implementing an effective document retention policy is a continual process. As long as your business is operational, there will be a continual cycle of records being generated, stored and disposed of. Here is a step-by-step guide to get you started.
- Document Inventory: You first must sort through all of your existing documents to determine the quantity of digital and physical records that you need to organize. Take a methodical approach by using inventory reporting forms to record the location of existing records. Try to categorize these records as either general (daily business operations), vital (required after an emergency to sustain business operations), archival (historical documents), or non-records (personal files, junk mail, duplicates). Completing this task will help you finalize your retention timeline in the next step.
- Create a Retention Schedule: While a document may have been essential at some point in the past, that does not mean that it will always be relevant to your business operations. Virtually every document—with a few notable exceptions like deeds, patents, auditor reports and annual financial records—has a measurable lifespan before it must be disposed of. Holding on to records longer than needed could potentially create legal liabilities. For instance, the discovery phase of litigation could uncover additional adverse information in your records that should have been deleted long ago. Additionally, it’s never a good move to unnecessarily shoulder the responsibility for any confidential customer data that could create major implications if inadvertently leaked or accessed. Unfortunately, there is no one-size-fits-all approach when it comes to retention schedules. Be sure to research all local, state, federal and industry-specific guidelines so that you can remain compliant. For instance, all financial, contractual, personnel, insurance and tax records will need to be retained for at least seven years.
- Records Storage: Effective and secure records storage is an indispensable component of your company’s collective records management policy. This includes everything from locking filing cabinets to encrypting files on your database. Consider using offsite storage offering enhanced security from natural disasters and theft for physical files instead of your office space. For digital files, there are numerous third-party data center providers that can backup and store your records, provide greater protection from computer hackers, and increase the upload speed to make the files more easily accessible (especially if you must transfer a large amount of data).
- Disposal: You should review all records on an annual basis and purge any that are no longer needed in accordance with your retention schedule to mitigate liability and decrease storage costs. Note that no records should be destroyed if your business reasonably anticipates litigation. The intentional destruction of pertinent records could lead to costly sanctions. If you use a third-party to handle your document destruction needs, make sure that they are compliant with the National Association for Information Destruction (NAID). This will ensure that all confidential material is kept secure through the transportation and storage phases prior to their destruction.
Get Started Today
At LOVE LAW FIRM, we understand that small business owners have a lot on their plate. From overseeing day-to-day operations to crafting a viable long-term market strategy, it can be overwhelming to navigate the myriad of nuanced legal and regulatory issues associated with managing your organization. That’s where we come into play. Contact us today to learn more about how we can assist you with all of your business legal needs—including document retention policies—so that you can focus on what is most important: growing and scaling your business!
To Learn More:
Visit our Corporate Recordkeeping practice area for more information.
Francine E. Love is the Founder & Managing Attorney at LOVE LAW FIRM, PLLC which dedicates its practice to serving entrepreneurs, start-ups and small businesses. The opinions expressed are those of the author. This article is for general information purposes and is not intended to be and should not be taken as legal advice.