How to Build a Records Retention Policy from Scratch

A records retention policy is the document that tells your organization how long to keep what records and when to dispose of them. It is one of the most under-built parts of small-business compliance, and one of the cheapest to fix.

Here is how to write one in about a week of work.

Why you need one

Three reasons:

Litigation defense. When a lawsuit hits, you have to find and produce relevant records. If you have a documented retention policy and you have followed it, records destroyed under the policy before the litigation are generally not a problem. If you have no policy or have not followed it, destroyed records can support an adverse inference at trial, the jury can assume what you destroyed was bad for you.

Regulatory compliance. Almost every regulated activity has a retention requirement. Employment records, tax records, healthcare records, financial services records, government contractor records all have minimum retention periods. Knowing what they are is the difference between a clean audit and a fine.

Operational sanity. Records that are not needed for legal, business, or regulatory reasons cost storage, slow searches, and create privacy risk. Disposing of them on a schedule keeps the organization lean.

Step 1: Inventory your record categories

Before you can set retention periods, you need to know what records exist. Most small businesses have records in roughly these categories:

• Corporate records: formation documents, operating agreement, board minutes, equity records, BOI filings.
• Tax records: returns, supporting documentation, depreciation schedules.
• Employee records: personnel files, payroll, benefits, time records, I-9s.
• Customer records: contracts, communications, support tickets, payment records.
• Vendor records: contracts, invoices, communications.
• Financial records: bank statements, accounting records, credit card statements.
• Legal correspondence: attorney communications, litigation files, regulatory correspondence.
• Marketing records: campaign materials, customer lists, marketing analytics.
• Operational records: project files, meeting notes, internal communications.
• IT records: system logs, backups, security incident records.

For each category, note where the records live (paper, network drive, SaaS app, email), who has access, and roughly how big the corpus is.

Step 2: Determine the minimum retention period for each

For each category, find the longest applicable retention requirement.

Common minimums:

• Corporate records: permanent (formation documents, equity records) or until two years after dissolution.
• Tax records: 7 years (3 years for normal IRS audit period, 6 years if there is substantial underreporting, 7 to cover Section 6694 preparer penalties).
• Employee records: 3 years for I-9s after termination, 3 years for payroll records under FLSA, 30 years for OSHA exposure records (for certain industries), permanent for retirement plan records.
• Customer records: depends on industry. Financial services: 5 to 7 years. Healthcare: usually 6 years after last service. General commercial: 4 to 6 years (statute of limitations on most contract claims).
• Vendor records: 4 to 6 years (statute of limitations on contract claims).
• Legal correspondence: until the matter is closed plus 7 years; longer for litigation-significant records.

Add any industry-specific requirements. Healthcare has HIPAA-driven requirements; financial services has FINRA and SEC requirements; government contractors have FAR-driven requirements.

Step 3: Set the policy retention periods

For each category, set a retention period that is at least as long as the longest applicable minimum and no longer than business need justifies.

A few principles:

Default toward shorter where you can. Records you keep are records that can be discovered, can be breached, and have to be searched. Longer is not safer.

Round to clean cycles. Use annual buckets (3 years, 5 years, 7 years) rather than odd ones. Easier to administer.

Separate by sensitivity. Records containing sensitive personal data (SSNs, health information, payment data) often warrant shorter retention to limit privacy risk.

Permanent should be rare. Permanent retention is appropriate for formation documents, equity records, board minutes, and a handful of other categories. Most operational records do not need permanent retention.

Step 4: Write the policy document

A policy document should cover:

Scope: who and what the policy applies to.

Definitions: what counts as a record, what counts as a transitory document (drafts, working notes, duplicates) that can be deleted any time.

Retention schedule: a table of categories and retention periods. The schedule is the most important part.

Storage requirements: where records are stored, in what format, who has access.

Disposition procedures: how records are destroyed when their retention expires. Paper records require shredding; electronic records require secure deletion. Document the destruction (date, category, person) for compliance trail purposes.

Legal hold procedures: how the retention schedule is suspended when litigation or investigation is reasonably anticipated. This is the most operationally important section. When you receive a litigation hold notice from counsel, automatic destruction has to stop.

Roles and responsibilities: who owns the policy, who enforces it, who answers questions.

Review cycle: how often the policy is reviewed and updated (annually is standard).

Step 5: Implement and audit

A policy document on its own does nothing. Implementation is:

• Train staff. Everyone who handles records needs to know the categories, the retention periods, and the disposition procedures.
• Automate where possible. Email retention policies in Microsoft 365 or Google Workspace can auto-delete email older than the retention period.
• Schedule reviews. Annual review of the policy, semi-annual review of compliance.
• Document destruction. Log of records destroyed, by category and date, demonstrates that the policy is being followed.

Step 6: Handle the backlog

Most organizations writing their first retention policy have a backlog of records that should have been destroyed years ago. Two options:

• Comply going forward. The new policy applies to records created after a cutoff date. Old records get a separate one-time review.
• Sweep the backlog. The new policy applies retroactively, with a one-time review and destruction pass.

The right answer depends on the volume of records, the sensitivity, and whether there is any litigation hold currently in place. Do not destroy records under a litigation hold under any circumstances. Get legal review of the backlog sweep before executing.

Common mistakes

A few patterns to avoid:

Treating retention as one-size-fits-all. Different record types have different retention requirements. Lumping everything into seven years is over-inclusive for many records and under-inclusive for others.

No litigation hold process. A retention policy without a litigation hold process is worse than no policy. Destroying records you should have preserved under a hold can be spoliation.

Forgetting backups. If your retention period is five years but your backups go back ten years, the retention period is effectively ten years for anything covered by the backups. Either shorten the backup retention or extend the policy.

Not reviewing. Retention requirements change. Annual review keeps the policy current.

When to bring in counsel

For a small organization with standard records, this framework is a working policy. Bring in a lawyer if you are in a regulated industry (healthcare, financial services, government contracting), subject to GDPR or state privacy laws with data minimization requirements, have international operations with foreign retention requirements, or anticipating or responding to litigation.

If any of those apply, LawSens.ai can match you with a compliance attorney in your state.