Need a Dumpster?


How to Create a Record Retention Policy

How to Create a Record Retention Policy

Setting Smart Record Retention Guidelines for Your Business

Please note: This information is not legal advice. Check with a qualified attorney before taking any of the steps recommended below.

Is your office buried in paper?

Even in the age of cloud storage, most businesses process hundreds or thousands of paper documents every year. These tend to pile up because we assume that holding onto everything is the best way to avoid legal headaches down the road. But you also have a legal obligation to protect any personal information in those stacks of paper. And storing documents longer than necessary increases the risk of mismanagement or theft. 

To minimize security risks, you should create a record retention policy for your business that spells out how long documents should be kept and how to safely dispose of them after that time has passed.

This can be intimidating, so we created a step-by-step guide to help you get started.

Creating an Effective Record Retention Policy

Businesses should establish record retention guidelines that follow the law and keep personal information out of the wrong hands. An effective record retention policy:

  • Accounts for the legal requirements of your state and industry.
  • Applies to all departments.
  • Specifies who will oversee and enforce record retention requirements.
  • Includes a standardized system for classifying document types.
  • Outlines where documents will be stored and who will have access.
  • Defines how long each document type will be retained before destruction.
  • Explains how documents will be destroyed after their retention period is up.

How to Develop a Record Retention Policy

Step 1: Assemble a Team

Unless you run a very small business, setting record retention guidelines shouldn’t be a one-person job. Recruit representatives from each department in your organization. A committee approach will limit mistakes and ensure your policy makes sense for everyone.

Step 2: Identify All Your Document Types

Your team’s first task is to understand all the document types your business handles and create a labeling system. It doesn’t have to be complicated; the goal is to make it easy to categorize documents as they’re created so each can be retained and/or destroyed as appropriate.

Your document categories will depend on the specifics of your business, but we’ve put together some examples of what you can expect to see.

Example Document Types:

Tax Documents:
  • Payroll tax returns
  • Sales tax returns
  • Cancelled checks
  • Etc.
Personnel Information:
  • Personnel files
  • Disability benefits records
  • Medical benefits records
  • Withholding tax statements
  • Contracts
  • Etc.
Insurance Documents:
  • Policies
  • Accident reports
  • Settled Claims
  • Etc.
Financial Documents:
  • Bank deposit slips
  • Purchase and sales contracts
  • Annual financial statements
  • Sales and cash register receipts
  • Time cards
  • Etc.
Shipping and Receiving Documents:
  • Freight bills
  • Waybills
  • Manifests
  • Bills of lading
  • Etc.


Step 3: Learn the Legal Requirements

Next, your team will need to research the legal requirements for retention and destruction that apply to your document categories. These laws will differ based on your industry and your location. A law firm in Ohio may be subject to different rules than a doctor’s office in Texas. 

Begin your research using these resources:

For General Information: 

For Law Firms:

For the Health & Medical Fields:

It can be difficult to track down the legal requirements for all the documents your business deals with. So, it’s important to document your research process. *Ask your lawyer about the best way to go about this.

If you’re ever in legal or regulatory trouble over some aspect of your retention policy, you may be able to use this documentation to show that you made a good-faith effort to follow the law.

Note that laws often state that you must retain a certain document type without specifying how long. In states that have adopted the Uniform Preservation of Private Business Records Act (linked above), documents with no specified retention length can usually be destroyed after three years.

Many businesses choose to follow this guideline even if their state hasn’t adopted this standard. As with any decision with legal implications, talk with your lawyer before making this choice for your own business.

Step 4: Create Your Retention Schedule

After researching your industry’s record retention requirements, it’s time to use that information to set your retention schedule.

A retention schedule should list all the document types your business handles and state how long each must be kept before destruction. You can organize your schedule as a table, a list or in any other format you feel would make it easy for your staff to follow.

Once you’ve created your retention schedule, train your employees on how to use it and make sure that the schedule is saved in a shared location so everyone can refer to it as needed.

Step 5: Create Storage Rules

Your record retention guidelines should also spell out how to store your documents safely and securely during their retention period. 

How to Store Business Documents Properly

  • Keep all files in a secure area that the public cannot access.
  • Use locking file cabinets to store any documents that contain credit card information, social security numbers, addresses or other identifying information.
  • Store files in a room that locks using a different key from the other doors in your building.
  • Only give access to employees who need the documents to do their jobs.
  • Create a system to track when documents are removed from storage.
  • Ensure that all documents are returned to storage within a reasonable timeframe.
  • Designate another secure area to store documents awaiting destruction. 

Step 6: Set Document Destruction Rules

The final step in creating your record retention policy is to specify how documents should be disposed of at the end of their retention period. 

Guidelines for Proper Disposal of Personal Information

  • NEVER put sensitive documents in the trash or a recycling bin. 
  • Hire a service to shred documents on a regular basis. 
  • Consider choosing an on-site shredding service if you deal with particularly sensitive information like medical records.
  • Always ask your shredding service for a certificate of destruction. Keep these certificates to prove you’re following the legal requirements for shredding documents.

With a smart record retention policy in place, your business will run more efficiently and you can rest easy knowing important information can’t easily fall into the wrong hands. Check out our Advice & Resources page for more guides that might be helpful for your business.

What do you think?

Have thoughts on this topic? We’re listening. Head over to Twitter or Facebook and use #dumpstersblog to join the conversation.