{"id":2415754117199,"title":"#661 IT LAW: DOCUMENT\/DATA RETENTION POLICY (DRP)","handle":"661-it-law-data-retention-polices","description":"\u003cp\u003e\u003ciframe id=\"ls_embed_1551590086\" src=\"https:\/\/livestream.com\/accounts\/10812142\/events\/8528637\/videos\/188056784\/player?width=640\u0026amp;height=360\u0026amp;enableInfo=true\u0026amp;defaultDrawer=\u0026amp;autoPlay=true\u0026amp;mute=false\" width=\"640\" height=\"360\" frameborder=\"0\" scrolling=\"no\" allowfullscreen=\"\"\u003e \u003c\/iframe\u003e\u003cscript type=\"text\/javascript\" data-embed_id=\"ls_embed_1551590086\" src=\"https:\/\/livestream.com\/assets\/plugins\/referrer_tracking.js\"\u003e\u003c\/script\u003e\u003c\/p\u003e\n\u003cp\u003eSPEAKER DR. ERIN HILL\u003c\/p\u003e\n\u003cp\u003eHOURS 1 HOUR MCLE\u003c\/p\u003e\n\u003cp\u003eTOPIC: IT LAW: DOCUMENT\/DATA RETENTION POLICY\u003c\/p\u003e\n\u003cp\u003e(meets the Technology requirements for Florida and NY)\u003c\/p\u003e\n\u003cp\u003eDOCUMENT RETENTION POLICY (DRP)\u003cbr\u003eMCLE Seminars: Ulrich Nash and Gump Legal Education\u003cbr\u003e\u003cbr\u003eSpeaker: Erin Hill\u003cbr\u003e________________________________________________________________________\u003cbr\u003eAGENDA:\u003cbr\u003ePOINT 1: REASONS TO ESTABLISH A DOCUMENT RETENTION POLICY\u003cbr\u003ePOINT 2: REVIEW CURRENT REGULATIONS\u003cbr\u003ePOINT 3: IDENTIFY DOCUMENTS \u0026amp; ASSIGN OWNERSHIP\u003cbr\u003ePOINT 4: DRAFT YOUR DATA RETENTION POLICY\u003cbr\u003ePOINT 5: TRAIN \u0026amp;; STAY CURRENT\u003c\/p\u003e\n\u003cp\u003eCONCLUSION\u003cbr\u003ePOINT 1: REASONS TO ESTABLISH A DOCUMENT RETENTION POLICY\u003cbr\u003eEstablishing a data retention policy (DRP) assists organizations with managing and\u003cbr\u003eprotecting important data to avoid any civil, criminal, and\/or financial penalties that may\u003cbr\u003eresult from poor data management practices. A DRP equips organizations with procedures\u003cbr\u003eto review, retain, and destroy documents possessed by or created in the course of business.\u003cbr\u003eLocal, state, federal and international policies, rules, statutes and laws, as well as industry-\u003cbr\u003eimposed regulations, specify the types of data that businesses must retain.\u003cbr\u003eFor example, the revised U.S. Federal Rules of Civil Procedure rule 37 on spoliation\u003cbr\u003eamplifies the importance of a clearly defined and enforced document retention policy\u003cbr\u003e(DRP). Additionally, these bodies set the length of time that specific types of data must be\u003cbr\u003eretained and maintained, along with the way in which that data is stored.\u003cbr\u003eInternationally, as of May 2018, Article 3 of the EU GDPR states that if a company\u003cbr\u003ecollects personal data or behavioral information from someone in an EU country when\u003cbr\u003edata is collected, your company is subject to the requirements of the GDPR which include\u003cbr\u003esignificant fines. U.S. companies, with a strong EU Web presence, should be changing \u003cbr\u003epractices now and implementing a sound data policy in response.\u003cbr\u003eA well-drafted policy will also identify documents that need to be preserved and\u003cbr\u003emaintained. It will further provide direction on how long to retain certain documents. A\u003cbr\u003ecomprehensive DRP that is enforced and followed by employees may be a lifesaver in the\u003cbr\u003eevent of burdensome litigation.\u003cbr\u003ePOINT 2: REVIEW CURRENT REGULATIONS\u003cbr\u003eReview state, federal, and industry specific rules\u003cbr\u003eA few regulatory bodies and acts that determine certain data retention durations and the\u003cbr\u003econditions of data removal include:\u003cbr\u003eA. The Health Insurance Portability and Accountability Act (HIPAA) is related to\u003cbr\u003ethe healthcare industry and applies to healthcare organizations and any business\u003cbr\u003ethat works with those organizations.\u003cbr\u003eB. The Sarbanes-Oxley Act (SOX) has its own provisions, related to the financial\u003cbr\u003eindustry.\u003cbr\u003eC. The Internal Revenue Service (IRS) applies to every type of business in any\u003cbr\u003elocation of the United States.\u003cbr\u003eD. The Children’s Online Privacy Protection Act (COPPA) is another act that applies\u003cbr\u003eto all businesses in the United States.\u003cbr\u003e\u003cbr\u003ePage 2 of 4\u003cbr\u003eE. The EU’s General Data Protection Regulation (GDPR) applies to any company\u003cbr\u003ethat does business with a resident of one of the 28 EU’s 28 member states.\u003cbr\u003eF. The U.S. Securities and Exchange Commission (SEC) requires certain SEC-\u003cbr\u003eregulated companies to keep emails for a minimum of three years (17 C.F.R. §\u003cbr\u003e240.17a-4).\u003cbr\u003eG. Determine whether your company's home state has adopted the Uniform\u003cbr\u003ePreservation of Private Business Records Act (UPPBRA), which includes a\u003cbr\u003edefinition of “business record.” If it does, include the term and definition in\u003cbr\u003eyour policy; this step will distinguish your DRP from documents that have\u003cbr\u003eno retention requirements. The UPPBRA states that whenever a law does not\u003cbr\u003especify a specific retention period then the business should keep their records for\u003cbr\u003ethree years.\u003cbr\u003eBuild Your Data Retention Policy Team\u003cbr\u003eYour data retention policy development team should include a legat and accounting\u003c\/p\u003e\n\u003cp\u003eexperts to thoroughly research any relevant laws, policies and regulations that affect your\u003cbr\u003eindustry and jurisdiction. Your team should also include individuals who manage financial\u003cbr\u003ereports and\/or are responsible for data retention settings (IT).\u003cbr\u003ePOINT 3: IDENTIFY DOCUMENTS \u0026amp; ASSIGN OWNERSHIP\u003cbr\u003eIdentify what electronic and physical documents your business produces, and assign\u003cbr\u003eownership. Determine whether this records compliance responsibility should be an\u003cbr\u003eindividual or department.\u003cbr\u003eDefine the Data to Be Included in Your Data Retention Policy\u003cbr\u003eRegardless of your industry or location, there are some general types of data that you must\u003cbr\u003einclude within your data retention policy, including:\u003cbr\u003e Documents\u003cbr\u003e Emails and other electronic documents\u003cbr\u003e Customer records\u003cbr\u003e Transactional information\u003cbr\u003e Spreadsheets\u003cbr\u003e Contracts\u003cbr\u003e Spreadsheets\u003cbr\u003e Correspondence between staff and clients, agents, vendors, shareholders and the\u003cbr\u003epublic\u003cbr\u003e Supplier and partner data\u003cbr\u003e Employee records\u003cbr\u003e Customer records\u003cbr\u003e Sales, invoice and billing information\u003cbr\u003e Tax and accounting documentation\u003cbr\u003e Financial reports\u003cbr\u003e Healthcare and patient data\u003cbr\u003e Student and educational data\u003cbr\u003e Any other data produced, collected and maintained in the fulfillment of regular\u003cbr\u003ebusiness activities\u003cbr\u003ePOINT 4: DRAFT YOUR DATA RETENTION POLICY\u003cbr\u003eDraft your DAP once you have determined how to manage old data (remove or archive).\u003cbr\u003eYour data retention policy should include the following:\u003cbr\u003eA. Purpose\u003cbr\u003eB. Applicable Laws, Regulations, Policies, Rules and Acts\u003cbr\u003eC. Record Retention and Deletion Schedule\u003cbr\u003eD. Litigation Plan\u003cbr\u003e\u003cbr\u003ePage 3 of 4\u003cbr\u003e\u003cbr\u003eE. Review and Update Schedule\u003cbr\u003eF. Detail instructions on storing, retaining, and preserving data\u003cbr\u003eDecide how to organize, where to store, how long to retain, and when to back up\u003cbr\u003edocuments. Describe the categories and types of documents that are confidential or\u003cbr\u003esensitive and cover the steps necessary to protect this type of information.\u003cbr\u003eSet guidelines on destroying expired or useless data. Once a document reaches its\u003cbr\u003eexpiration for retention, the policy needs to include details on how to handle data.\u003cbr\u003ePOINT 5: TRAIN \u0026amp;; STAY CURRENT\u003cbr\u003eTrain employees on the plan and communicate the processes. Training and implementing\u003cbr\u003ethe DRP should be strictly enforced with consequences for non-compliance. Go over\u003cbr\u003eindividuals responsible for enforcing, monitoring, and updating the policy. Address\u003cbr\u003eemployee document preservation and disposal protocol clearly and explicitly. Explain that\u003cbr\u003eemployees have no expectation of personal privacy in either communications they send or\u003cbr\u003ereceive through the company's email system, or documents they create or store on\u003cbr\u003ecompany equipment or premises. Discuss Bring Your Own Device (BYOD) to work and\u003cbr\u003eexplain the acceptable use (if any) of the following for conducting company business:\u003cbr\u003ehome computers, cloud storage, personal smart phones, personal email accounts, and\u003cbr\u003epersonal internet sites, blogs, and social media networks.\u003cbr\u003eCONCLUSION\u003cbr\u003eAs we have addressed above, establishing a data retention policy (DRP) assists\u003cbr\u003eorganizations with managing and protecting important data to avoid any civil, criminal,\u003cbr\u003eand\/or financial penalties that may result from poor data management practices. A DRP\u003cbr\u003eequips organizations with procedures to review, retain, and destroy documents possessed\u003cbr\u003eby or created in the course of business. A DRP assists organizations in removing outdated\u003cbr\u003eand duplicated data and creates an efficient use of storage space. The importance of\u003cbr\u003estaying current in today’s global business environment is paramount to remaining\u003cbr\u003ecompliant with local, state, federal and international policies, rules, statutes and laws, as\u003cbr\u003ewell as industry-imposed regulations with affect data retention management.\u003cbr\u003e\u003cbr\u003ePage 4 of 4\u003cbr\u003e\u003cbr\u003eREFERENCES\u003cbr\u003e\u003cbr\u003e1. https:\/\/www.acc.com\/legalresources\/publications\/topten\/building-a-document-\u003cbr\u003eretention-policy.cfm\u003cbr\u003e2. https:\/\/www.nfib.com\/Portals\/0\/PDF\/AllUsers\/legal\/guides\/document-retention-\u003cbr\u003epolicy-guide-nfib.pdf\u003cbr\u003e3. https:\/\/irch.com\/create-data-retention-policy-template\/\u003cbr\u003e4. http:\/\/www.lawjournalnewsletters.com\/2018\/05\/01\/are-u-s-records-retention-\u003cbr\u003erequirements-on-a-collision-course-with-the-gdprs-right-to-\u003cbr\u003eerasure\/?slreturn=20181128211535\u003cbr\u003e5. https:\/\/www.ispartnersllc.com\/blog\/5-steps-developing-data-retention-policy\/\u003cbr\u003e6. https:\/\/templatesumo.com\/business\/data-retention-policy-template-the-essential-\u003cbr\u003eguide-to-gdpr\/\u003cbr\u003e7. https:\/\/privacysniffs.com\/data-retention-law\/united-states-of-america\/\u003cbr\u003e8. https:\/\/www.archives.gov\/files\/records-mgmt\/2019-perm-electronic-records-\u003cbr\u003esuccess-criteria.pdf\u003cbr\u003e9. https:\/\/www.forbes.com\/sites\/forbestechcouncil\/2017\/12\/04\/yes-the-gdpr-will-\u003cbr\u003eaffect-your-u-s-based-business\/#68a6efd16ff2\u003cbr\u003e\u003cbr\u003eEXHIBIT WEBSITES\u003cbr\u003e\u003cbr\u003eBelow are websites that offer templates and other assistance with developing a DRP.\u003c\/p\u003e","published_at":"2019-02-15T12:40:31-08:00","created_at":"2019-02-15T12:45:57-08:00","vendor":"Aaron \u0026 Aaron Inc. (dba Ulrich, Nash \u0026 Gump) CLE","type":"Webinar","tags":["#Data","#internet","#ITlaw","credit-state_california","credit-state_colorado","credit-state_florida","credit-state_new-jersey","credit-state_new-york","technology"],"price":5900,"price_min":5900,"price_max":5900,"available":true,"price_varies":false,"compare_at_price":5900,"compare_at_price_min":5900,"compare_at_price_max":5900,"compare_at_price_varies":false,"variants":[{"id":21444545445967,"title":"Default Title","option1":"Default Title","option2":null,"option3":null,"sku":"","requires_shipping":false,"taxable":true,"featured_image":null,"available":true,"name":"#661 IT LAW: DOCUMENT\/DATA RETENTION POLICY (DRP)","public_title":null,"options":["Default Title"],"price":5900,"weight":0,"compare_at_price":5900,"inventory_quantity":0,"inventory_management":null,"inventory_policy":"deny","barcode":""}],"images":["\/\/cdn.shopify.com\/s\/files\/1\/0541\/9885\/products\/NYScreen_Shot_2017-09-06_at_1.24.58_PM_1.png?v=1550263566"],"featured_image":"\/\/cdn.shopify.com\/s\/files\/1\/0541\/9885\/products\/NYScreen_Shot_2017-09-06_at_1.24.58_PM_1.png?v=1550263566","options":["Title"],"content":"\u003cp\u003e\u003ciframe id=\"ls_embed_1551590086\" src=\"https:\/\/livestream.com\/accounts\/10812142\/events\/8528637\/videos\/188056784\/player?width=640\u0026amp;height=360\u0026amp;enableInfo=true\u0026amp;defaultDrawer=\u0026amp;autoPlay=true\u0026amp;mute=false\" width=\"640\" height=\"360\" frameborder=\"0\" scrolling=\"no\" allowfullscreen=\"\"\u003e \u003c\/iframe\u003e\u003cscript type=\"text\/javascript\" data-embed_id=\"ls_embed_1551590086\" src=\"https:\/\/livestream.com\/assets\/plugins\/referrer_tracking.js\"\u003e\u003c\/script\u003e\u003c\/p\u003e\n\u003cp\u003eSPEAKER DR. ERIN HILL\u003c\/p\u003e\n\u003cp\u003eHOURS 1 HOUR MCLE\u003c\/p\u003e\n\u003cp\u003eTOPIC: IT LAW: DOCUMENT\/DATA RETENTION POLICY\u003c\/p\u003e\n\u003cp\u003e(meets the Technology requirements for Florida and NY)\u003c\/p\u003e\n\u003cp\u003eDOCUMENT RETENTION POLICY (DRP)\u003cbr\u003eMCLE Seminars: Ulrich Nash and Gump Legal Education\u003cbr\u003e\u003cbr\u003eSpeaker: Erin Hill\u003cbr\u003e________________________________________________________________________\u003cbr\u003eAGENDA:\u003cbr\u003ePOINT 1: REASONS TO ESTABLISH A DOCUMENT RETENTION POLICY\u003cbr\u003ePOINT 2: REVIEW CURRENT REGULATIONS\u003cbr\u003ePOINT 3: IDENTIFY DOCUMENTS \u0026amp; ASSIGN OWNERSHIP\u003cbr\u003ePOINT 4: DRAFT YOUR DATA RETENTION POLICY\u003cbr\u003ePOINT 5: TRAIN \u0026amp;; STAY CURRENT\u003c\/p\u003e\n\u003cp\u003eCONCLUSION\u003cbr\u003ePOINT 1: REASONS TO ESTABLISH A DOCUMENT RETENTION POLICY\u003cbr\u003eEstablishing a data retention policy (DRP) assists organizations with managing and\u003cbr\u003eprotecting important data to avoid any civil, criminal, and\/or financial penalties that may\u003cbr\u003eresult from poor data management practices. A DRP equips organizations with procedures\u003cbr\u003eto review, retain, and destroy documents possessed by or created in the course of business.\u003cbr\u003eLocal, state, federal and international policies, rules, statutes and laws, as well as industry-\u003cbr\u003eimposed regulations, specify the types of data that businesses must retain.\u003cbr\u003eFor example, the revised U.S. Federal Rules of Civil Procedure rule 37 on spoliation\u003cbr\u003eamplifies the importance of a clearly defined and enforced document retention policy\u003cbr\u003e(DRP). Additionally, these bodies set the length of time that specific types of data must be\u003cbr\u003eretained and maintained, along with the way in which that data is stored.\u003cbr\u003eInternationally, as of May 2018, Article 3 of the EU GDPR states that if a company\u003cbr\u003ecollects personal data or behavioral information from someone in an EU country when\u003cbr\u003edata is collected, your company is subject to the requirements of the GDPR which include\u003cbr\u003esignificant fines. U.S. companies, with a strong EU Web presence, should be changing \u003cbr\u003epractices now and implementing a sound data policy in response.\u003cbr\u003eA well-drafted policy will also identify documents that need to be preserved and\u003cbr\u003emaintained. It will further provide direction on how long to retain certain documents. A\u003cbr\u003ecomprehensive DRP that is enforced and followed by employees may be a lifesaver in the\u003cbr\u003eevent of burdensome litigation.\u003cbr\u003ePOINT 2: REVIEW CURRENT REGULATIONS\u003cbr\u003eReview state, federal, and industry specific rules\u003cbr\u003eA few regulatory bodies and acts that determine certain data retention durations and the\u003cbr\u003econditions of data removal include:\u003cbr\u003eA. The Health Insurance Portability and Accountability Act (HIPAA) is related to\u003cbr\u003ethe healthcare industry and applies to healthcare organizations and any business\u003cbr\u003ethat works with those organizations.\u003cbr\u003eB. The Sarbanes-Oxley Act (SOX) has its own provisions, related to the financial\u003cbr\u003eindustry.\u003cbr\u003eC. The Internal Revenue Service (IRS) applies to every type of business in any\u003cbr\u003elocation of the United States.\u003cbr\u003eD. The Children’s Online Privacy Protection Act (COPPA) is another act that applies\u003cbr\u003eto all businesses in the United States.\u003cbr\u003e\u003cbr\u003ePage 2 of 4\u003cbr\u003eE. The EU’s General Data Protection Regulation (GDPR) applies to any company\u003cbr\u003ethat does business with a resident of one of the 28 EU’s 28 member states.\u003cbr\u003eF. The U.S. Securities and Exchange Commission (SEC) requires certain SEC-\u003cbr\u003eregulated companies to keep emails for a minimum of three years (17 C.F.R. §\u003cbr\u003e240.17a-4).\u003cbr\u003eG. Determine whether your company's home state has adopted the Uniform\u003cbr\u003ePreservation of Private Business Records Act (UPPBRA), which includes a\u003cbr\u003edefinition of “business record.” If it does, include the term and definition in\u003cbr\u003eyour policy; this step will distinguish your DRP from documents that have\u003cbr\u003eno retention requirements. The UPPBRA states that whenever a law does not\u003cbr\u003especify a specific retention period then the business should keep their records for\u003cbr\u003ethree years.\u003cbr\u003eBuild Your Data Retention Policy Team\u003cbr\u003eYour data retention policy development team should include a legat and accounting\u003c\/p\u003e\n\u003cp\u003eexperts to thoroughly research any relevant laws, policies and regulations that affect your\u003cbr\u003eindustry and jurisdiction. Your team should also include individuals who manage financial\u003cbr\u003ereports and\/or are responsible for data retention settings (IT).\u003cbr\u003ePOINT 3: IDENTIFY DOCUMENTS \u0026amp; ASSIGN OWNERSHIP\u003cbr\u003eIdentify what electronic and physical documents your business produces, and assign\u003cbr\u003eownership. Determine whether this records compliance responsibility should be an\u003cbr\u003eindividual or department.\u003cbr\u003eDefine the Data to Be Included in Your Data Retention Policy\u003cbr\u003eRegardless of your industry or location, there are some general types of data that you must\u003cbr\u003einclude within your data retention policy, including:\u003cbr\u003e Documents\u003cbr\u003e Emails and other electronic documents\u003cbr\u003e Customer records\u003cbr\u003e Transactional information\u003cbr\u003e Spreadsheets\u003cbr\u003e Contracts\u003cbr\u003e Spreadsheets\u003cbr\u003e Correspondence between staff and clients, agents, vendors, shareholders and the\u003cbr\u003epublic\u003cbr\u003e Supplier and partner data\u003cbr\u003e Employee records\u003cbr\u003e Customer records\u003cbr\u003e Sales, invoice and billing information\u003cbr\u003e Tax and accounting documentation\u003cbr\u003e Financial reports\u003cbr\u003e Healthcare and patient data\u003cbr\u003e Student and educational data\u003cbr\u003e Any other data produced, collected and maintained in the fulfillment of regular\u003cbr\u003ebusiness activities\u003cbr\u003ePOINT 4: DRAFT YOUR DATA RETENTION POLICY\u003cbr\u003eDraft your DAP once you have determined how to manage old data (remove or archive).\u003cbr\u003eYour data retention policy should include the following:\u003cbr\u003eA. Purpose\u003cbr\u003eB. Applicable Laws, Regulations, Policies, Rules and Acts\u003cbr\u003eC. Record Retention and Deletion Schedule\u003cbr\u003eD. Litigation Plan\u003cbr\u003e\u003cbr\u003ePage 3 of 4\u003cbr\u003e\u003cbr\u003eE. Review and Update Schedule\u003cbr\u003eF. Detail instructions on storing, retaining, and preserving data\u003cbr\u003eDecide how to organize, where to store, how long to retain, and when to back up\u003cbr\u003edocuments. Describe the categories and types of documents that are confidential or\u003cbr\u003esensitive and cover the steps necessary to protect this type of information.\u003cbr\u003eSet guidelines on destroying expired or useless data. Once a document reaches its\u003cbr\u003eexpiration for retention, the policy needs to include details on how to handle data.\u003cbr\u003ePOINT 5: TRAIN \u0026amp;; STAY CURRENT\u003cbr\u003eTrain employees on the plan and communicate the processes. Training and implementing\u003cbr\u003ethe DRP should be strictly enforced with consequences for non-compliance. Go over\u003cbr\u003eindividuals responsible for enforcing, monitoring, and updating the policy. Address\u003cbr\u003eemployee document preservation and disposal protocol clearly and explicitly. Explain that\u003cbr\u003eemployees have no expectation of personal privacy in either communications they send or\u003cbr\u003ereceive through the company's email system, or documents they create or store on\u003cbr\u003ecompany equipment or premises. Discuss Bring Your Own Device (BYOD) to work and\u003cbr\u003eexplain the acceptable use (if any) of the following for conducting company business:\u003cbr\u003ehome computers, cloud storage, personal smart phones, personal email accounts, and\u003cbr\u003epersonal internet sites, blogs, and social media networks.\u003cbr\u003eCONCLUSION\u003cbr\u003eAs we have addressed above, establishing a data retention policy (DRP) assists\u003cbr\u003eorganizations with managing and protecting important data to avoid any civil, criminal,\u003cbr\u003eand\/or financial penalties that may result from poor data management practices. A DRP\u003cbr\u003eequips organizations with procedures to review, retain, and destroy documents possessed\u003cbr\u003eby or created in the course of business. A DRP assists organizations in removing outdated\u003cbr\u003eand duplicated data and creates an efficient use of storage space. The importance of\u003cbr\u003estaying current in today’s global business environment is paramount to remaining\u003cbr\u003ecompliant with local, state, federal and international policies, rules, statutes and laws, as\u003cbr\u003ewell as industry-imposed regulations with affect data retention management.\u003cbr\u003e\u003cbr\u003ePage 4 of 4\u003cbr\u003e\u003cbr\u003eREFERENCES\u003cbr\u003e\u003cbr\u003e1. https:\/\/www.acc.com\/legalresources\/publications\/topten\/building-a-document-\u003cbr\u003eretention-policy.cfm\u003cbr\u003e2. https:\/\/www.nfib.com\/Portals\/0\/PDF\/AllUsers\/legal\/guides\/document-retention-\u003cbr\u003epolicy-guide-nfib.pdf\u003cbr\u003e3. https:\/\/irch.com\/create-data-retention-policy-template\/\u003cbr\u003e4. http:\/\/www.lawjournalnewsletters.com\/2018\/05\/01\/are-u-s-records-retention-\u003cbr\u003erequirements-on-a-collision-course-with-the-gdprs-right-to-\u003cbr\u003eerasure\/?slreturn=20181128211535\u003cbr\u003e5. https:\/\/www.ispartnersllc.com\/blog\/5-steps-developing-data-retention-policy\/\u003cbr\u003e6. https:\/\/templatesumo.com\/business\/data-retention-policy-template-the-essential-\u003cbr\u003eguide-to-gdpr\/\u003cbr\u003e7. https:\/\/privacysniffs.com\/data-retention-law\/united-states-of-america\/\u003cbr\u003e8. https:\/\/www.archives.gov\/files\/records-mgmt\/2019-perm-electronic-records-\u003cbr\u003esuccess-criteria.pdf\u003cbr\u003e9. https:\/\/www.forbes.com\/sites\/forbestechcouncil\/2017\/12\/04\/yes-the-gdpr-will-\u003cbr\u003eaffect-your-u-s-based-business\/#68a6efd16ff2\u003cbr\u003e\u003cbr\u003eEXHIBIT WEBSITES\u003cbr\u003e\u003cbr\u003eBelow are websites that offer templates and other assistance with developing a DRP.\u003c\/p\u003e"}

#661 IT LAW: DOCUMENT/DATA RETENTION POLICY (DRP)

Product Description
$ 59.00
Maximum quantity available reached.

SPEAKER DR. ERIN HILL

HOURS 1 HOUR MCLE

TOPIC: IT LAW: DOCUMENT/DATA RETENTION POLICY

(meets the Technology requirements for Florida and NY)

DOCUMENT RETENTION POLICY (DRP)
MCLE Seminars: Ulrich Nash and Gump Legal Education

Speaker: Erin Hill
________________________________________________________________________
AGENDA:
POINT 1: REASONS TO ESTABLISH A DOCUMENT RETENTION POLICY
POINT 2: REVIEW CURRENT REGULATIONS
POINT 3: IDENTIFY DOCUMENTS & ASSIGN OWNERSHIP
POINT 4: DRAFT YOUR DATA RETENTION POLICY
POINT 5: TRAIN &; STAY CURRENT

CONCLUSION
POINT 1: REASONS TO ESTABLISH A DOCUMENT RETENTION POLICY
Establishing a data retention policy (DRP) assists organizations with managing and
protecting important data to avoid any civil, criminal, and/or financial penalties that may
result from poor data management practices. A DRP equips organizations with procedures
to review, retain, and destroy documents possessed by or created in the course of business.
Local, state, federal and international policies, rules, statutes and laws, as well as industry-
imposed regulations, specify the types of data that businesses must retain.
For example, the revised U.S. Federal Rules of Civil Procedure rule 37 on spoliation
amplifies the importance of a clearly defined and enforced document retention policy
(DRP). Additionally, these bodies set the length of time that specific types of data must be
retained and maintained, along with the way in which that data is stored.
Internationally, as of May 2018, Article 3 of the EU GDPR states that if a company
collects personal data or behavioral information from someone in an EU country when
data is collected, your company is subject to the requirements of the GDPR which include
significant fines. U.S. companies, with a strong EU Web presence, should be changing 
practices now and implementing a sound data policy in response.
A well-drafted policy will also identify documents that need to be preserved and
maintained. It will further provide direction on how long to retain certain documents. A
comprehensive DRP that is enforced and followed by employees may be a lifesaver in the
event of burdensome litigation.
POINT 2: REVIEW CURRENT REGULATIONS
Review state, federal, and industry specific rules
A few regulatory bodies and acts that determine certain data retention durations and the
conditions of data removal include:
A. The Health Insurance Portability and Accountability Act (HIPAA) is related to
the healthcare industry and applies to healthcare organizations and any business
that works with those organizations.
B. The Sarbanes-Oxley Act (SOX) has its own provisions, related to the financial
industry.
C. The Internal Revenue Service (IRS) applies to every type of business in any
location of the United States.
D. The Children’s Online Privacy Protection Act (COPPA) is another act that applies
to all businesses in the United States.

Page 2 of 4
E. The EU’s General Data Protection Regulation (GDPR) applies to any company
that does business with a resident of one of the 28 EU’s 28 member states.
F. The U.S. Securities and Exchange Commission (SEC) requires certain SEC-
regulated companies to keep emails for a minimum of three years (17 C.F.R. §
240.17a-4).
G. Determine whether your company's home state has adopted the Uniform
Preservation of Private Business Records Act (UPPBRA), which includes a
definition of “business record.” If it does, include the term and definition in
your policy; this step will distinguish your DRP from documents that have
no retention requirements. The UPPBRA states that whenever a law does not
specify a specific retention period then the business should keep their records for
three years.
Build Your Data Retention Policy Team
Your data retention policy development team should include a legat and accounting

experts to thoroughly research any relevant laws, policies and regulations that affect your
industry and jurisdiction. Your team should also include individuals who manage financial
reports and/or are responsible for data retention settings (IT).
POINT 3: IDENTIFY DOCUMENTS & ASSIGN OWNERSHIP
Identify what electronic and physical documents your business produces, and assign
ownership. Determine whether this records compliance responsibility should be an
individual or department.
Define the Data to Be Included in Your Data Retention Policy
Regardless of your industry or location, there are some general types of data that you must
include within your data retention policy, including:
 Documents
 Emails and other electronic documents
 Customer records
 Transactional information
 Spreadsheets
 Contracts
 Spreadsheets
 Correspondence between staff and clients, agents, vendors, shareholders and the
public
 Supplier and partner data
 Employee records
 Customer records
 Sales, invoice and billing information
 Tax and accounting documentation
 Financial reports
 Healthcare and patient data
 Student and educational data
 Any other data produced, collected and maintained in the fulfillment of regular
business activities
POINT 4: DRAFT YOUR DATA RETENTION POLICY
Draft your DAP once you have determined how to manage old data (remove or archive).
Your data retention policy should include the following:
A. Purpose
B. Applicable Laws, Regulations, Policies, Rules and Acts
C. Record Retention and Deletion Schedule
D. Litigation Plan

Page 3 of 4

E. Review and Update Schedule
F. Detail instructions on storing, retaining, and preserving data
Decide how to organize, where to store, how long to retain, and when to back up
documents. Describe the categories and types of documents that are confidential or
sensitive and cover the steps necessary to protect this type of information.
Set guidelines on destroying expired or useless data. Once a document reaches its
expiration for retention, the policy needs to include details on how to handle data.
POINT 5: TRAIN &; STAY CURRENT
Train employees on the plan and communicate the processes. Training and implementing
the DRP should be strictly enforced with consequences for non-compliance. Go over
individuals responsible for enforcing, monitoring, and updating the policy. Address
employee document preservation and disposal protocol clearly and explicitly. Explain that
employees have no expectation of personal privacy in either communications they send or
receive through the company's email system, or documents they create or store on
company equipment or premises. Discuss Bring Your Own Device (BYOD) to work and
explain the acceptable use (if any) of the following for conducting company business:
home computers, cloud storage, personal smart phones, personal email accounts, and
personal internet sites, blogs, and social media networks.
CONCLUSION
As we have addressed above, establishing a data retention policy (DRP) assists
organizations with managing and protecting important data to avoid any civil, criminal,
and/or financial penalties that may result from poor data management practices. A DRP
equips organizations with procedures to review, retain, and destroy documents possessed
by or created in the course of business. A DRP assists organizations in removing outdated
and duplicated data and creates an efficient use of storage space. The importance of
staying current in today’s global business environment is paramount to remaining
compliant with local, state, federal and international policies, rules, statutes and laws, as
well as industry-imposed regulations with affect data retention management.

Page 4 of 4

REFERENCES

1. https://www.acc.com/legalresources/publications/topten/building-a-document-
retention-policy.cfm
2. https://www.nfib.com/Portals/0/PDF/AllUsers/legal/guides/document-retention-
policy-guide-nfib.pdf
3. https://irch.com/create-data-retention-policy-template/
4. http://www.lawjournalnewsletters.com/2018/05/01/are-u-s-records-retention-
requirements-on-a-collision-course-with-the-gdprs-right-to-
erasure/?slreturn=20181128211535
5. https://www.ispartnersllc.com/blog/5-steps-developing-data-retention-policy/
6. https://templatesumo.com/business/data-retention-policy-template-the-essential-
guide-to-gdpr/
7. https://privacysniffs.com/data-retention-law/united-states-of-america/
8. https://www.archives.gov/files/records-mgmt/2019-perm-electronic-records-
success-criteria.pdf
9. https://www.forbes.com/sites/forbestechcouncil/2017/12/04/yes-the-gdpr-will-
affect-your-u-s-based-business/#68a6efd16ff2

EXHIBIT WEBSITES

Below are websites that offer templates and other assistance with developing a DRP.

Click the links below to download log sheets.

CALIFORNIA LOG SHEETS

Page 1 of 4

Page 2 of 4

Page 3 of 4

Page 4 of 4

 

 

Related Products