• Jurisdiction official name: French Republic
• Legal system type: Civil law system with a dual court structure (judicial and administrative)
• Primary language(s) of law/government: French
• General Description of RIM landscape: France imposes statutory record retention obligations across commercial, tax, employment, and regulated sectors. In addition, these requirements are influenced by GDPR compliance expectations. Retention periods are primarily set by the Commercial Code, Civil Code, and Tax Procedure Code. As a result, organizations must manage records across multiple legal frameworks. Data protection requirements under GDPR strongly influence retention schedule management.

Zasio Research Scope & Depth

• Total Zasio citations captured: 1,239
• Primary sources relied upon:
  • Commercial Code
  • Civil Code
  • Tax Procedure Code
  • Labor Code

Core France Recordkeeping Obligations

• How long must businesses keep accounting records? 10 years (Commercial Code)
• How long must employers keep personnel records? Generally, 5 years, with some records kept until retirement.
• Industries most heavily regulated: Healthcare and life sciences, financial services, telecommunications, advertising and e-commerce, public sector.
• Other Notable retention timeframes: Tax records 6 years; commercial correspondence and invoices 10 years; certain civil status records kept for life.

What makes this jurisdiction interesting

• Unique or surprising aspect: France’s data protection authority, the CNIL, is one of the most active and enforcement-oriented supervisory authorities in Europe, regularly issuing high-profile GDPR fines and public sanctions across both private and public sectors.
• Common organizational challenge: Aligning statutory retention obligations with GDPR data minimization and deletion requirements, particularly where business teams seek to retain data longer for operational or evidentiary reasons.
• Emerging trend: Intensified CNIL enforcement focused on data retention periods, cookie compliance, security measures, and failure to cooperate with regulatory investigations.

France Records Management Business Relevance

• Why this jurisdiction matters: France is one of the EU’s largest markets. As a result, it serves as a leading GDPR enforcement jurisdiction, setting practical benchmarks for compliance expectations across Europe.
• Most impacted organizations: Multinational companies processing EU personal data, digital platforms, healthcare and life sciences organizations, and entities operating customer facing technologies.
• How this research supports clients: It helps clients design defensible retention and deletion practices that comply with French statutory requirements and withstand CNIL scrutiny.

Disclaimer: The purpose of this post is to provide general education on records management solutions. The statements are informational only and do not constitute legal advice. Any references to legal or regulatory recordkeeping requirements are provided for general guidance purposes and may not reflect all obligations applicable to your organization. Additional or alternative requirements may apply based on your organization’s industry, jurisdiction, risk profile, and specific business activities. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Record Keeping and Information Governance in France: Jurisdiction Overview appeared first on Zasio.

But with greater reliance comes increased complexity, as the latest headlines reveal risks beyond the typical mass breach incidents we’ve grown accustomed to. Just recently, a Microsoft executive admitted EU data may not be safe from U.S. government access. Also, Apple is pushing back against UK demands to weaken iCloud encryption. These cases spotlight the rising tension between privacy, security, and control, revealing critical issues for records managers navigating today’s cloud-first world.

As cloud reliance deepens and risks become more visible, records management professionals must take steps to safeguard data and ensure compliance. The following key takeaways offer practical guidance for strengthening records management practices in the cloud era.

Highlights for Records Management Professionals

To navigate risks in the cloud environment, records managers must adopt a strategic, informed approach to data governance, security, and compliance. The following provide guidance for doing so.

1. Location, Transfers, and Data Sovereignty: GDPR and privacy laws teach us where your data originates or lives matters. Cross-border data transfers require strict safeguards, making it essential to assess where and how data is stored and accessed.
   Along these same lines, organizations must carefully evaluate data sovereignty, the principle that data is subject to the laws and governance structures of the country in which it is physically stored. Date sovereignty can impact access rights, government surveillance, and legal rights. It is important to be aware of the laws of the country where data is stored for the above-mentioned reasons, and especially for personal, sensitive, or regulated data.
2. Encryption is Crucial, but not a Magic Solution: Encryption protects data from hackers, but it doesn’t solve the challenges of legal requests or backdoors. Records managers should understand limitations of encryption and consider additional measures to protect information.
   Two key pillars of strong encryption are end-to-end protection and long key bit lengths. End-to-end encryption keeps data private during transmission, but it can’t protect compromised devices. Longer keys make attacks harder, though they may slow performance. Records managers should weigh these trade-offs when designing secure systems.
3. Shared Responsibility in the Cloud: Cloud providers protect the infrastructure, but organizations remain responsible for the security of their data within the cloud environment. Two common traps in cloud storage are misconfigured open ports and accidental backdoor access. Open ports can expose systems to unauthorized entry if not properly secured, while overlooked integrations or legacy settings may unintentionally create hidden access paths. Records managers should stay alert to these risks and work closely with IT to tighten cloud configurations.
4. Vendor Due Diligence is Important: Thoroughly vet cloud service providers, focusing on their data protection policies, compliance certifications, and contractual agreements regarding data access. Organizations should review relevant third-party audit reports and evaluate service level agreements for clarity on compliance responsibilities.
5. Stay informed about Evolving Regulations: Data privacy, recordkeeping, and other relevant laws and regulations are constantly changing. Records managers must stay on top of the latest legal developments and adjust their strategies accordingly to avoid penalties. Because of the ever-evolving nature of organizations, laws, and data flows, think of compliance as ongoing and not a one-time task.
6. Data Governance is Essential: Strong governance policies, including data classification, access controls, and retention schedules, are necessary for managing data effectively and ensuring compliance.

To stay current, consider subscribing to regulatory news feeds, joining professional listservs, and attending webinars or industry conferences. These channels offer timely insights and peer perspectives that help records managers adapt with confidence.

The Critical Role of Records Management

These recent examples underscore how harnessing the immense benefits of the cloud require a proactive and comprehensive approach to records management. It’s not enough to simply store data in the cloud and assume it’s secure or compliant. Records managers must actively participate in selecting cloud providers, defining data governance policies, implementing security measures, and staying current with the legal and regulatory landscape. By embracing these best practices, organizations can confidently leverage the benefits of cloud services while safeguarding their valuable information assets.

Questions & Answers:

What new risks are emerging with cloud reliance?

A: Beyond data breaches, geopolitical tensions, and legal access issues (e.g., cross-border surveillance, encryption mandates) are raising concerns about privacy and control.

What is data sovereignty and why does it matter?

A: Data sovereignty means data is governed by the laws of the country where it’s stored. This affects surveillance rights, legal obligations, and privacy protections, especially for sensitive or regulated records.

Is encryption enough to protect cloud data?

A: No. While encryption defends against hackers, it doesn’t prevent lawful access or device compromise. Records managers should combine encryption with strong governance and access controls.

Who is responsible for cloud data security?

A: It’s a shared responsibility. Cloud providers secure infrastructure, but organizations must configure access, monitor risks, and protect their own data.

How should organizations vet cloud vendors?

A: Review data protection policies, compliance certifications, SLAs, and third-party audits. Ensure contractual clarity on data access and responsibilities.

What types of records management governance practices support cloud compliance?

A: Implement clear data classification, access controls, and retention schedules. These policies help ensure defensible, efficient records management.

Disclaimer: The purpose of this post is to provide general education on information governance solutions. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Cloud Chaos or Confidence? Revisiting the Evolving Digital Landscape in RIM appeared first on Zasio.

Date: Thursday, Aug. 21, 2025

Featuring Brandon Tuley, Senior Analyst & Jennifer Chadband and Rick Surber, Zasio Senior Consultants

Editorial Note: Portions of this transcript have been reviewed and refined using AI tools to improve readability, punctuation, and clarity. While the content remains true to the original discussion, minor edits were made to enhance understanding.

—

Thanks, Jerry, for that introduction, and thanks, everyone, for joining us today.

We’re really excited to have Brandon with us.

Brandon is a senior analyst and has been with us for a little over five years.

In that time, he’s established himself as an important part of our consulting division and has had plenty of opportunities to dive deep into this topic. He’s incredibly knowledgeable, and we’re happy to have this conversation today.

Just a quick introduction to Virtual Coffee:
If this is your first time joining us, we encourage everyone to grab a cup of coffee—or whatever your beverage of choice is: Diet Coke, water, etc.

We try to structure these sessions with visuals and slides to guide the conversation, but we keep things casual and conversational. We’ll share industry best practices, general trends we’re seeing, and some guidance we’ve developed that we hope will be helpful.

We welcome questions throughout.
There are opportunities to submit them, and we’ve received quite a few in advance. While we won’t be able to address all of them today, we’ll follow up afterward as needed.

Now, a bit more on today’s topic:
This is a fascinating area for a few reasons. We’re thinking about HR records, personal data, and the evolving technology used to manage these records—even down to a very granular level.

About eight years ago, I wrote a blog titled Is Big Bucket Dead in the Age of Privacy? We’ll revisit that question today and explore how things have evolved, especially in the context of HR-related records.

There’s a lot to cover, so I’ll hand it over to Brandon to walk us through the agenda and the key subtopics we’ll be discussing.

Brandon:
Thanks for the introduction, Jen, and thank you all for joining us.

I’ll start with a bit of a spoiler: the big bucket retention schedule is still very much alive.
We’ll talk about why it remains a best practice and how it’s evolving under increasing privacy pressures.

From high-level strategy to specific HR record categories, we’ve got a full agenda.
We’ll cover:

• The tension between big bucket simplicity and data object-level complexity
• How to bridge that gap while keeping privacy in mind
• Specific “hot ticket” areas within HR records

To kick things off, let’s talk about a common challenge: the deletion vs. retention dilemma.

I think of this as a classic tug-of-war:

• Privacy advocates say delete it.
• Operations wants to keep it.
• Legal says, “It depends.”

Each stakeholder has valid reasons.
Privacy concerns and administrative costs drive deletion.
Retention is often justified by legal requirements or past experiences where old records were needed.
Legal, of course, tends to hedge.

Once you’ve worked through that dilemma, global operations add another layer of complexity.
You’re trying to create a unified policy that accounts for different jurisdictions and record types—a one-size-fits-all approach that’s incredibly difficult to achieve.

Over the past few years, especially post-GDPR, we’ve seen more organizations reassessing global retention periods—particularly for buckets containing personal data.
They’re trying to apply the data minimization principle, shorten retention periods, and avoid unnecessary data storage.

Then comes the structure of the retention schedule itself:
Are we aiming for big buckets or a granular approach?

The answer is: both.

The goal is to strike the right balance—broad enough to be manageable, but with carve-outs where privacy demands it.
Too little granularity leads to over-retention.
Too much, and the schedule becomes impossible to follow.

We want that middle ground—structured enough to be compliant, but simple enough to be practical.

With that, I’ll pass it back to Jen to talk about data object-level management and how it fits into the big bucket model.

Jen:
Thanks, Brandon.
You hit on some of the most important points—especially the tension we’re all trying to manage between simplicity and precision.

Let’s talk about how we go granular—and why.

I think this is definitely being driven by privacy laws.

Stepping back and looking at the retention schedule, we’re also considering this in the broader context of personal and sensitive information. Legal recordkeeping requirements help define what the appropriate level of granularity should be.

At the same time, we’re increasingly managing information at the data object level and reconciling that with the big bucket retention schedule—two ends of the spectrum.
What does that look like in practice?

As Brandon noted, going too granular can make things overly complex, difficult to manage, and costly. Each law associated with granular data adds layers of complexity.

So, it’s really about finding the right balance.

When managing data at the object level, the complexities increase.
For anyone unfamiliar with systems that manage at this level:
A data object can be an individual electronic document (like a performance review), an email, or even a field entry—such as an address or benefits enrollment—within a system.

The benefit of managing at this level is precision.
You can apply retention rules in various ways, including event-triggered management.
This helps mitigate risk by allowing you to tag, add metadata, and track creation and management of data objects.
Retention can be applied with audit trails and other capabilities.

One of the most common systems for this is an HRIS—Human Resources Information System.
Workday is a well-known example.
These systems often integrate with broader document and content management platforms, including electronic records management systems (ERMS), to automate classification and retention.

This allows your retention schedule to flow through to these systems and apply rules at the most granular level.

Now, here’s where complexity really comes in:
We have big buckets, but multiple data objects may relate to a single bucket.
Different jurisdictions may require different retention periods.
How do we manage that?
Which retention period do we follow?

This introduces another layer of complexity we need to address.

There are also benefits:
Enhanced automation and improved compliance with privacy laws like GDPR and CCPA.
You can track and audit at a granular level, which is essential in today’s regulatory environment.

This isn’t just an HR issue.
Other industries—like financial services and healthcare—are also managing data at the object level.
Customer and patient information are prime examples.

This is the emerging reality we’re dealing with.
So how do we bridge the gap between big bucket retention schedules and granular data object management?

We received a great question that ties directly into this topic:

What is the recommended industry approach for managing the retention of employee source data, particularly when the data set serves as a foundational record due to its extensive interdependencies with other HR records? Is it appropriate to retain employee source data until all dependent records have reached the end of their retention periods? If so, what are the best practices for documenting this approach to ensure compliance with regulatory requirements?

This question really hits on the core issue.
Source data—often a data object or field-level entry—can include things like an employee’s address, benefits enrollment, or Social Security number.
These data points may be needed for multiple HR records: benefits, payroll, personnel files, etc.

It creates a spiderweb of dependencies, with the source data at the center.
Downstream systems rely on it for data integrity.

So what’s the answer?

Yes—most clients retain source data for as long as the dependent records exist.
This ensures downstream data integrity, prevents orphan records, and allows for verifiable audit trails.

This approach is typically documented in two places:

• The records retention schedule, aligning systems and repositories with record categories
• A data disposition policy, which calls out specific categories and their alignment to source data

We’re hitting on key points here:
We need to be able to audit and verify our records, and the data is what those records are comprised of.
It’s part of the audit and verification process.

That’s one of the justifications for tying records to the retention schedule and the legal requirements that support it.
Another issue is orphaned records.
Too often, we hear horror stories about data disposition teams trying to clear out personal information—doing what they think is right—but ending up with orphaned records downstream that lack identifiable information they may still need.

Yes, that’s absolutely on point, Rick.
The general rule of thumb is to consider the longest applicable requirement when setting retention periods.
There’s a lot to think about.

Practically, this process often involves mapping granular data objects to the records retention schedule.
This helps determine appropriate retention periods—whether global or country-specific exceptions.

For example, a data object related to a submitted application might fall under the recruitment record series.
If the applicant isn’t hired, the retention period might be short globally, but longer in the U.S.—California requires four years, Colorado five.
This illustrates the complexity of managing retention periods across jurisdictions.

Organizing data under your retention schedule allows you to see all applicable retention periods and create a clear trail for decision-making.
This helps determine the final retention period for each data object.

For hired employees, you might retain a data object for the duration of employment plus seven years.
But if there are ongoing obligations—like benefits—you may need to retain it much longer, possibly 20, 30, or even 40 years.

There’s a wide disparity in how long a single data object might be needed for different business purposes.

You can manage this manually by tracking it within your retention schedule fields.
If you have an electronic solution, those fields can be mapped and traced.
You can then create classification rules based on the retention schedule, tailored to each data object’s content, sensitivity, and regulatory requirements.

If you’re fortunate, your system may include AI or machine learning capabilities to automate some of this.
Automation helps apply retention periods directly within systems like HRIS, which often have built-in retention features.

This is great because it adds accountability.
Everything is mapped, retention periods are known, and manual effort is reduced with system support.

Systems should also provide audit trails—tracking when data is deleted and why.
Always document the justification for retention periods, especially for broader record sets, to ensure compliance.

Having a clear trail from the data object level up helps justify broader retention periods and ensures they’re set appropriately.

This is an evolving area.
We’re reconciling these new realities with our retention schedules.
It ties into the broader conversation about designing schedules that reflect the shift toward more granular retention requirements.

We’re seeing laws and regulations increasingly focused on personal data at a granular level.
We’re accountable for justifying retention periods in specific cases involving personal data.

All of this helps us manage information more efficiently and effectively, while maintaining compliance.

With that, I’ll transition to Brandon, who’s going to dive deeper into specific record categories and how they’re being addressed in retention schedules with these new factors in mind.

Brandon:
Thanks, Jen.

Let’s zoom in on our first HR records category: recruitment records.
Specifically, we’ll look at how retention strategies and schedule structures differ for hired vs. non-hired candidates, and how global operations impact retention periods for these groups.

First, regarding retention schedule structure:
We commonly see two separate buckets—one for non-hired individuals and one for hired individuals, whose recruitment records become part of the personnel file (which we’ll cover later).

This structure allows retention periods to be tailored to the purpose for which the information was collected and helps address express retention requirements that are increasingly common worldwide.

We commonly see that non-hire recruitment records have much shorter retention periods.
They often lose their value once the individual is no longer a candidate for the position.

Focusing on those who aren’t offered employment—or perhaps are fortunate not to be—non-hire records typically have a global retention period ranging from six months to two years.
Common retention triggers include the creation date or the employment decision, allowing for a more privacy-conscious approach aligned with the purpose for which the information was collected.

Two key considerations drive that six-month to two-year retention range:

1. Recordkeeping requirements
2. Discrimination claims

As Jennt mentioned, U.S. requirements tend to be longer than those in other countries.
California previously led with a four-year requirement, but Colorado recently extended that to five years, pushing retention even further.

It’s interesting how neighboring jurisdictions often follow suit.
Ontario, for example, recently introduced a three-year retention requirement for non-hire records—the first express requirement of its kind in Canada.
We expect these express retention requirements to continue growing as more jurisdictions adopt similar standards.

Yes, and when it comes to recordkeeping requirements, they’re major drivers of the retention schedule—especially for privacy.

Outside the U.S., though, few jurisdictions have defined retention periods for recruitment records.
That leaves us with limited guidance.
Sometimes, legal teams will reference statutes of limitations for discrimination claims, which might support a one-year retention period.

Beyond that, privacy laws generally say to retain data no longer than necessary.
That could mean deleting records once an employment decision is made—whether the person is hired or not.

It’s a wide range of retention periods, and reconciling them is a challenge when designing your retention schedule.

Rick:
Exactly.
It also depends on what’s in those records.
Discrimination concerns might justify longer retention, but if you can support your processes using summary data without personal information, that’s ideal.

Still, some clients—especially in California—retain recruitment records long-term due to frequent legal challenges.
Having more information helps them defend against claims.

It becomes a company-by-company risk analysis.
If you’re facing discrimination suits and personal data is relevant to those cases, longer retention may be justified.

Brandon:
Absolutely.
And with global operations, retention requirements can vary widely.
Outside the U.S., we often see maximum compelled deletion requirements—laws that specify how long certain types of data can be retained before mandatory deletion.

Examples:

• France: 2 years
• Germany: 6 months
• Netherlands: 4 weeks after the application process ends

Even within the EU, there are significant differences in privacy regulations.

For hired recruitment records, once someone joins the organization, their recruitment records typically become part of the personnel file.
We’ll cover that in more detail in upcoming slides.

Closely tied to recruitment records are background checks.
Let’s look at how organizations manage these records and the differences between hired and non-hired individuals.

Like recruitment records, it’s common to see two buckets:

• One for non-hired individuals
• One for hired individuals

For non-hire background checks, we typically see a global retention period from the employment decision to one year.
This is driven by privacy considerations and potential discrimination claims.

What makes this more privacy-focused is the lack of express retention requirements for this group.
So, privacy principles often guide shorter retention—keeping data only as long as necessary for its original purpose.

In the case of background checks for non-hires, that purpose is usually to make a hiring decision.
Once that decision is made and the individual is no longer under consideration, the records lose their retention value.

Jenn:
And to add to that, background checks can contain very sensitive or even embarrassing information—especially if unrestricted.

This is a recurring theme:
Data minimization is key.
If your industry allows, maybe you only pull 5 to 10 years of information—or ideally, don’t collect detailed data at all.

There are background check providers that offer a pass/fail approach.
You provide the conditions, they return a pass or fail result.
They may only share personal information if there’s a potential fail to review.

This isn’t always feasible for highly regulated industries—like nuclear energy—but for most, there’s room to minimize the information initially collected.

Absolutely.
Those minimization principles help reduce risk by keeping privacy considerations front and center.
This is addressed at the process level, outside the retention schedule, but still contributes to strong privacy practices.

Once an employee is onboarded, many of the records we’ve discussed become part of the personnel file.
But what exactly goes into that file, and how should it be managed?

It’s critical to define what the personnel file includes within your organization.
This definition will vary by jurisdiction and be shaped by local policy, operational needs, legal requirements, and risk considerations.

Some jurisdictions don’t have express retention requirements for personnel files, so it’s important to establish clear parameters—for both privacy and compliance.
This helps avoid under-retaining or over-retaining certain types of information and ensures records are placed in the correct buckets or adjusted as needed.

Another key consideration is understanding what information goes into the personnel file so you can apply appropriate protections for sensitive data.

It’s important to note:
The personnel file is not a file plan.
Communicating this distinction to stakeholders helps reduce confusion and unnecessary questions.

And it’s not just stakeholders—sometimes even records managers confuse the retention schedule with a file plan.
That’s a great point.

Just because something is part of the personnel file from a retention schedule standpoint doesn’t mean it’s physically bundled together.
Certain records—like employee grievances, investigations, and medical files—should be maintained separately due to their sensitive nature, even if they share the same retention period.

So, distinguishing between retention periods and how the personnel file is managed is critical for privacy and organizational clarity.

If you’ve stuck with us through defining the personnel file, let’s talk about retention periods.

Globally, the common retention period for personnel files is duration of employment plus 5 to 7 years.
In the past, we saw retention periods as long as duration plus 10 years, but that’s shifting as privacy requirements gain traction and organizations adopt better practices.

Retention periods are often based on:

• Recordkeeping requirements
• Express retention laws
• Statutes of limitations
• Legal liability considerations

Local legal counsel may request longer retention periods—even when express requirements exist.
Opinions can vary even among experts within the same jurisdiction, so it’s important to align everyone during the review process.

Getting buy-in across the organization makes the process smoother and ensures the retention period is appropriate.

We’ve addressed our first question—now let’s move to the next two, which highlight the complexity of personnel files.

We’re considering digitizing our HR records, which include background checks, address changes, annual performance reviews, and more. Each document type has its own retention requirements, which adds complexity. What’s an effective strategy for applying the correct retention period to each document type within a personnel file? Alternatively, would it be more practical to assign the longest applicable retention period to the entire file?

Let’s start with the second part:
We do not recommend applying the longest retention period to the entire file.

Defining the personnel file—based on jurisdictional requirements—is essential.
Once you know which records are included, you can structure your HR records accordingly.

Be aware of express retention requirements, operational needs, and record life cycles.
Group records logically into buckets that reflect these considerations.

Jenn:
Quick question for clarification, Brandon:
If we define a personnel file to include five record types, and individually those records have different retention periods—say, one year for recruitment records and seven years for performance reviews—would the personnel file follow the longest retention period?

Brandon:
Yes—if those records are officially part of the personnel file as determined through legal counsel, express requirements, and internal policy, then they would be grouped and follow the longest applicable retention period.

But we can’t let the tail wag the dog.
We shouldn’t include benefits or pension records in the personnel file just to apply a permanent retention period across the board.

There needs to be logic behind the grouping to avoid unnecessary over-retention.

Based on data minimization principles, sometimes retention periods force us to step back and ask:
Do we really need to retain all these records for the longest possible time?
Or would it make more sense to break them out and assign shorter retention periods—especially for highly sensitive information?

That’s a great question.

Next question related to personnel files:

Given that employee documentation is often segmented into distinct record types—such as personnel files, learning and development records, benefits documentation, and performance management files—each governed by different legal and regulatory retention requirements, what is the recommended industry approach for managing these interdependencies while avoiding unnecessary over-retention?

Specifically, is it advisable to apply the longest retention period—typically driven by benefits records like pension or life insurance—to all employee-related records for simplicity and risk mitigation? If so, how is this reconciled with increasingly stringent privacy regulations that emphasize data minimization and purpose limitation? If not, what criteria or framework should guide decisions about what to retain versus what to securely dispose of?

As Rick mentioned earlier, we don’t want the “tail to wag the dog.”
You should parse records out in your retention schedule so that the longest retention period doesn’t drive over-retention across all record types.

While longer retention may help mitigate risk in some cases—such as defending against claims—it also increases privacy risk when data is kept longer than necessary.

Instead, match each record type to its legal and regulatory requirements, consider its lifecycle, and group similar records into logical buckets.
This allows for a structured retention schedule tailored to your organization.

Cookie-cutter schedules won’t account for these nuances.
It’s important to dive into the process and create a document that reflects your operations and compliance needs.
A one-size-fits-all approach rarely works.

Tailoring your schedule is critical for both compliance and risk mitigation.

Now, let’s talk about managing benefits and pension records while staying mindful of privacy considerations.

Where retention meets retirement, organizations often ask:
Do we need a “skeleton” record series?

Before we get there, let’s look at the typical structure of these records.

For individuals, we commonly see a global retention period of final payment plus 5 to 11 years.
Retention considerations are based on recordkeeping requirements and risk—especially in the U.S.

One notable case is Barton v. ADT, from the U.S. Ninth Circuit.
Barton claimed he worked for ADT from 1967 to 1986.
In 2010, he sought pension benefits, but the plan administrator denied the claim, citing lack of records.

The court ruled that when a claimant lacks access to key information controlled by the plan administrator, the burden of proof shifts to the administrator.
Beneficiaries aren’t expected to produce records—the administrator must.

This ruling triggered a conservative approach in many organizations, leading to longer retention periods.

Jenn:
That ruling doesn’t specify a retention period, right?
It just says the administrator must produce records related to benefits paid or payable.

Brandon:
Exactly.
The “payable” language puts organizations on high alert.
It implies that records may need to be produced at any time, which leads to very long-term retention.

Some organizations now use final payment as a trigger to account for that “payable” clause.
But there’s still pushback from stakeholders.

This language has caused challenges—but also helped ensure people receive the benefits they’ve earned.

Jenn:
With clients who offer traditional pension plans, we often see permanent retention for these records—especially in the U.S.
But there are exceptions.

Brandon:
Yes, some countries also have long-term retention requirements.
For example:

• Brazil: 30 years for Social Security indemnity records
• Latin America: Frequent requests for long retention periods, often citing archival laws
• Russia: Shelf-life law
• China: Archives Order No. 10
• Eastern Europe: Similar long-term archival requirements

Globally, retention schedules are often split—some jurisdictions require long-term retention, others don’t.

Reconciling this with the need to defend against pension claims remains a challenge.

The idea of a skeleton category is widely appealing.
We’re short on time, but let’s quickly describe it.

The “skeleton” category is meant to be bare bones—only essential information.
It aligns with data minimization principles.

Think of it this way:
What is truly essential to retain long-term or permanently (preferably with a defined long-term period to avoid “permanent” where possible)?
This would include only the core data needed to guarantee payment of benefits to employees or their beneficiaries.

The goal is to create a category that captures only that essential data—avoiding over-retention across other categories in the retention schedule.

Some organizations go with permanent retention, while others intentionally choose shorter periods to avoid permanence—especially in Europe.
Retention ranges vary widely, from 40 years on the low end to 85–90 years for those accounting for all conceivable contingencies.
It’s a risk-based decision.

Let’s touch on two specific areas: leaves of absence and collective bargaining.

For leaves of absence, records often contain sensitive health information—physician certificates, medical documentation, and related requests.
These are typically separated from payroll records so their retention period can be tailored and minimized.

Common global retention ranges:

• Creation plus 2 to 7 years, with exceptions
• Australia: Duration of employment plus 7 years
• Ireland: Creation plus 12 years

These variations reflect efforts to reduce retention periods while respecting privacy concerns.

For collective bargaining, global retention periods typically range from expiration plus 7 to 15 years.
Retention requirements are scarce, so these periods are often driven by dispute resolution needs and operational considerations, which vary by jurisdiction.

Stakeholders and subject matter experts from different regions will often request very different retention periods based on local context.

Another hot-button item: data subject requests.

Let’s discuss how to retain the right records while avoiding unnecessary copies of personal data.

Typical global retention range:
Final resolution plus 2 to 5 years, aligned with emerging express retention requirements—including in the U.S.

What should be retained:

• The original request
• Final resolution summary
• Log information detailing how the request was handled
• Access records for specific data types

Copies of personal data should be treated as transitory.
This avoids retaining unnecessary personal data and allows for streamlined deletion under a separate policy.

On the topic of downstream dependencies, this is where systems become invaluable.
You can trace a data object or piece of personal data across the organization to ensure complete deletion—assuming no unauthorized copies are saved elsewhere.

This is a key component of compliance and tracking.

Final question—let’s answer it quickly:

Best practices for purge logs and certificates of destruction:

• Systems should auto-generate logs showing what was deleted, when, by whom, under what process, and under which retention rule
• These processes should be integrated with legal hold protocols to suspend disposition when necessary
• Purge logs should be stored similarly to certificates of destruction
• Logs should be audited periodically to ensure the process is functioning properly
• Purge rules should be reviewed and certified for alignment with the retention schedule—typically by legal and records management teams

If there’s one key takeaway from today’s session, it’s this:

Review. Align. Train. Monitor.

Why?
Because privacy isn’t a project—it’s a practice.
It’s not something to focus on for a month or a year.
It should become part of your organization’s culture.

Big bucket retention schedules are still best practice—but add granularity where it makes sense.
Be mindful of express retention requirements and record lifecycles.
Train teams to understand the balance between retention and deletion.
Stay up to date with global legal developments—jurisdictions often follow each other’s lead.

Jenn:
I love how you put that, Brandon.
Privacy isn’t a project—it’s a process.
Privacy by design.

Brandon:
Exactly.
It’s something we always need to stay on top of.

Thanks again, everyone.
We appreciate you taking the time to join us today.

The post HR Records in a Growing Privacy Climate: Webinar Transcript appeared first on Zasio.

Date: Tuesday, Feb. 18, 2025

Featuring Jennifer Chadband and Rick Surber — Zasio Senior Consultants

Editorial Note: Portions of this Virtual Coffee with Consulting transcript have been reviewed and refined using AI tools to improve readability, punctuation, and clarity. While the content remains true to the original discussion, minor edits were made to enhance understanding. You can also watch the webinar in its entirety below.

Welcome everyone to Virtual Coffee with Consulting. Today’s topic is the Revamping Your Rim Program. A Roadmap to Resilience and Efficiency. This is a great topic. Rick and I were brainstorming for the year and wondered if it would be too dry or not interesting enough since we’re going back to the fundamentals. But surprisingly, we’ve had a ton of interest and great attendance numbers.

We’re extra excited to present on this topic because there are always new things to think about. Just a reminder—Virtual Coffee is meant to be a casual forum. We always encourage people to bring their coffee or beverage of choice. I think we once had a guest who brought Diet Coke and a cigar. Whatever floats your boat.

We want to have a loose conversation about this, but we also think it’s great to have slides and we all like visuals and takeaways. This is really meant to be a discussion format. Rick and I will go over some ideas and content, but also have conversations about common practices and trends we’re seeing.

If you’re new here, welcome! I’ve seen quite a few new names signed up for today’s presentation and questions are always welcome. You’ll see there’s time for questions at the end, but feel free to submit them anytime and we’ll get back to you.

Now, the roadmap for today’s discussion: we’ll start with the “why”—why we’re conducting assessments and reevaluating programs. What’s the driver behind that? Then we’ll talk about fundamental program components, which really lay the foundation for the rest of the conversation.

Building on that, we’ll explore what it looks like to conduct assessments and how that might vary depending on your organization, goals, and drivers. We’ll also talk about common findings, practical tips, and other helpful insights—especially for those of you who are leading initiatives or conducting assessments yourselves.

There are a lot of handy tips we can pass down.

Why Conduct a RIM Assessment

Talking about the “why”—if you look at the bullet points, they’ll likely look familiar. These are the common drivers for RIM assessments. And these can evolve over time. We recommend periodic assessments, especially if your goal is full maturity.

Even if full maturity isn’t the goal, you should still check in regularly to see what’s working, what’s not, and where your strengths and weaknesses lie. These are typically the drivers for building a complete records software solution.

First, legal and regulatory compliance is always evolving. Think GDPR, HIPAA—there are even recent changes coming to HIPAA. Assessments help identify compliance gaps and protect against legal risks or penalties.

Next, mitigating risks and reducing liability. Poor records management can lead to data breaches, noncompliance, and fines. You don’t have to look far to see examples—especially in financial services, where SEC-related issues and privacy breaches have made headlines.

Another key driver is optimizing operational efficiency and cost savings. Inefficient records management wastes resources, increases storage costs, and reduces productivity. Modernization and automation are important here—technology enhancements can significantly improve your information governance program.

Protecting organizational information is also critical. Sensitive, confidential, and proprietary information are valuable assets. A robust RIM program helps safeguard them.

Rick, do you want to take the last few?

Thanks, Jen. The next driver is preparing for unforeseen events like disasters. Having a business continuity plan is essential. Assessments help identify critical records and ensure they’re recoverable in case of natural disasters or cyberattacks. They also help identify weaknesses and backup plans.

Another driver is making informed decisions. The ultimate goal of an assessment is to create a strategic roadmap for your RIM program—what to prioritize and how to move forward. This improves decision-making, enables quick retrieval of records, ensures proper storage, and supports defensible disposition.

Lastly, facilitating digital transformation and information governance. AI-driven records management is something we’ve received questions about. We’ll touch on it briefly today and plan a dedicated session later this year. The goal is to integrate records management into broader enterprise content and digital transformation strategies, ensuring technologies are used efficiently while maintaining compliance.

Core Components of a Successful RIM Program

Here are the key components and factors that Zasio looks at during assessments. First and foremost is program governance and structure. We look for things like RIM policies and retention schedules, which are foundational. Just as important is ensuring that senior leadership is on board and that RIM is part of a broader information governance program that takes a holistic view of information management and security.

A dedicated steering committee is ideal. Clearly defined roles and resources form a strong foundation for a proper RIM structure. When it comes to records management practices, we’re looking for progress in implementing program objectives—policies, procedures, and retention schedules. These practices, workflows, and processes should be designed to responsibly manage records and ensure the full lifecycle is followed, especially the disposition phase, which must be defensible.

Work culture and behavior are crucial. You can have the best governance in the world, but if people aren’t engaged or don’t care, it won’t go far. This is often the biggest challenge we hear from clients. They may have all the pieces in place, but struggle with implementation and follow-through. Common questions include: How do we reinforce this? How do we create awareness? How do we communicate effectively?

We’ll talk about strategies to promote enthusiasm for RIM, which can be difficult. One helpful approach—though not the most in-depth—is training and boosting awareness. We’ll dive deeper into that shortly.

Next is technology—how it supports records management processes. This includes the ability of existing systems to provide visibility and control over both electronic and physical records. It’s about understanding repositories, applications, their limitations, and how they align with RIM objectives. We’ll explore potential workarounds and solutions.

Risk management and security are also key. We’ve already touched on business continuity and disaster recovery, as well as cybersecurity. Finally, compliance monitoring and auditing are essential. These ensure compliance, track key metrics, and support corrective action when needed.

A quick note on technology: it’s playing an increasingly important role. Many of our assessment findings include recommendations to adopt technologies that enhance or even enable the implementation of project goals. AI is a major factor here. While this presentation won’t focus heavily on AI, we are planning a future Virtual Coffee session dedicated to how AI and technology can modernize and elevate your program.

Benchmarking and Industry Common Practice

This section is about identifying your yardstick—how you measure the current status or structure of your program. There are many resources available. One of the major ones is the Generally Accepted Recordkeeping Principles (GARP), which include eight principles: accountability, transparency, integrity, protection, compliance, availability, retention, and disposition.

These principles help organizations measure maturity and compliance. On a lighter note, I once asked ChatGPT for a mnemonic for GARP. It initially got the acronym wrong but eventually came up with a good one: A Trusted Information Professional Complies and Reviews Records Diligently. I wish I had that while studying for the CRM!

Another useful model is the ARMA Maturity Model, which outlines five levels of maturity: initial, developing, defined, managed, and transformational. The goal is to move toward a transformational program—one that is proactive rather than reactive. This model encourages continuous improvement by identifying weaknesses in retention and compliance practices.

While many assessments focus on weaknesses, it’s just as important to identify strengths. It’s not uncommon to find disparities within an organization. For example, finance, accounting, and HR departments often have more mature practices in place.

There are also ISO standards for RIM and IG. ISO 15489 focuses on core principles for designing and implementing RIM systems, while ISO 24143 emphasizes IG concepts and a structured, cross-functional approach involving legal, IT, and other departments.

We also use our own proprietary model, which incorporates industry best practices based on years of conducting assessments. The idea is to compare your program to a chosen standard and identify gaps.

Common gaps include a lack of formalized policies or procedures, or having policies that are too complex to follow—like overly complicated retention schedules.

Many people don’t understand how to use the retention schedule. Sometimes there’s a policy in place, but it’s not easy to follow. Inconsistent retention and disposition practices across the organization are common. Another frequent issue is poor integration of RIM and information governance (IG) with IT and security policies.

These gaps help highlight and justify the need for resource allocation and support. They also guide the next steps in developing your RIM program. From there, you can prioritize areas for improvement. As Rick mentioned earlier, gaining executive buy-in is essential for implementing necessary changes. It’s important to revisit the “why”—why are we doing this?

If legal or regulatory compliance is the main driver, that may be the most urgent risk to address first. Prioritizing based on risk and impact helps shape your takeaways and next steps.

Risk Priorities and Maturity Milestones

Let’s dive deeper into risk priorities and maturity milestones. If your program is still developing or just starting out, you’ll likely take a risk-based approach. As your program matures, you can begin to rely more on established milestones and metrics.

When starting from scratch, you may not have any governance in place. Often, the first thing organizations implement is records retention scheduling, which is foundational. But a RIM policy is just as essential. You may not yet have a formal program or a dedicated RIM professional.

In this case, a general risk-based approach is appropriate. An assessment and strategic roadmap are excellent starting points. They help outline a path toward maturity and align everyone around shared goals.

Some clients come to us saying, “We need a records management program, but we can’t get buy-in or support.” In our experience, we’ve helped build business cases to address this. You don’t need to be a lawyer to build a risk-based case. There are plenty of resources—legal cases, enforcement actions, and industry examples—that can help you make a compelling argument.

When you’re just starting out, focus on the risks to your organization. That can help you secure buy-in and resources. Anyone can pull together a persuasive case to support that first step.

There’s no shortage of cautionary tales. We even hosted a Halloween-themed webinar on RIM horror stories—some classic, some recent. It’s still available on our website and worth a watch.

For minimally developed programs, there’s a balance between risk and maturity. The roadmap helps justify additional resources and technology. Once your program reaches substantial maturity, you’ll likely have senior sponsorship, a steering committee, key performance indicators, and continuous improvement goals.

At that point, you can focus on known hurdles and develop strategies to overcome them. Internal audit findings and a commitment to continuous improvement are key tools for mature programs to keep evolving.

Assessment Planning and Considerations

When planning an assessment, it’s important to be concise and deliberate. Start by asking: Why is this assessment being conducted? The answer helps define the scope and outreach strategy.

It could be driven by risk management, regulatory compliance, operational efficiency, modernization, or digital transformation. Sometimes, an audit finding or litigation exposure prompts the assessment. Other times, it’s part of a routine check-in to ensure things are working as they should.

Next, determine what you’re going to assess. It’s not always necessary—or practical—to survey the entire organization. You might focus on specific areas, depending on whether your program is centralized or decentralized, or based on known maturity levels across departments.

People often underestimate the effort and timeline involved in a full enterprise-wide assessment. You’ll be evaluating policies and procedures—are they regularly updated? Are retention schedules compliant and aligned with business needs? Are records being managed according to the schedule?

These questions help shape your outreach. We’ll touch more on that shortly.

You’ll also assess technology and systems. What tools are in use? How are employees managing records day to day? Is there a standardized approach?

Training and awareness are also key. As a stakeholder, you’ll likely have answers to many of these questions, though input from others will be necessary too.

As mentioned earlier, the scope of the assessment may be organization-wide or limited to specific business areas. You’ll also want to consider whether the focus is on electronic records, physical records, or both.

More and more, the focus is on electronic records. Physical records still matter, but they play a smaller role. Managing digital records—especially across software platforms, databases, and cloud environments—adds complexity, particularly when applying retention policies. That’s why electronic records often require a deeper dive during assessments.

Geographical considerations also come into play. Where your organization operates can affect which legal and regulatory compliance requirements apply. All of this reinforces the importance of having a well-scoped, thoughtful plan going into an assessment.

Stakeholder Involvement

If there’s a magic trick to helping with support, adherence, and smooth implementation, this is it: involving stakeholders. Getting them engaged, collaborating with them, making sure their opinions are heard, and doing everything you can to bring their needs into the program goes a long way in building champions and rolling out a successful program.

You may not know who your stakeholders are. If that’s the case, you can develop a survey and send it to managers. Ask them to identify the people in their departments who are most knowledgeable about records—how long they need to be retained, what the business needs are, and so on.

We’re usually looking at some key stakeholders. Legal is a major player and typically requires multiple touchpoints. If there’s a privacy team, we’ll want to talk to them too. Then there’s representation from each business area within your organization.

Often, these touchpoints can evolve into a RIM liaison-type relationship, which we’ve found to be really useful—not just for collecting information, but for helping with compliance, training, and rollout.

If you have stakeholders who are willing to stay involved and have bought into the process through collaboration, it makes everything easier down the road.

One question we get a lot is: how many people should be involved in an assessment? The answer is: it depends. We look at the size of the organization and the core verticals—HR, Legal, IT, and any industry-specific areas.

Sometimes it gets tricky. A client might say, “We have 50 manufacturing sites. Are we really going to reach out to all of them?” The answer is no. Nobody has the bandwidth for that. But you do want a good sampling—especially if there are unique products, regulatory considerations, or higher-risk jurisdictions. Focus on the sites that will provide the most value to the assessment.

This part of the process can be a hang-up. It can feel overwhelming, and it’s often hard to get people to engage. We can’t underestimate that. Survey response rates typically range from 30% to 70%. Smaller organizations sometimes hit 100%, especially when Legal is involved. That tends to prompt more responses.

As long as the importance of the initiative is clearly communicated—why it matters to the business—people usually understand and are more willing to participate. It helps to make them feel like they’re part of it.

Executive support helps too. I like to talk to someone in an executive role later in the information-gathering phase. That way, you can report on what’s been collected, talk through the strategies you’ve developed, and get feedback from an executive sponsor on the path forward.

It’s not always easy to get an executive on a call, but we do. We’ve even had meetings with company presidents. It’s great when that happens.

Accessibility and Communication

All right. Talking about assessment planning considerations—when we’re thinking about the existing framework and policies—we want to go over some of these. You’re reaching out now, asking questions. The survey itself should be as straightforward and simple as possible.

We can’t get every question answered in the survey. People just won’t complete it if it’s too long. There’s a sweet spot. The survey sets a foundation for the most important aspects. For example, we ask about systems, record locations, and provide a list of options they can select from. That helps facilitate the process.

We usually work with IT to get an idea of what that looks like, which can be complex depending on the size of the organization. When we get into conversations, we go down a list of things we want to answer because it helps inform where the program is and what the maturity level looks like.

We think about the retention schedule and ask: Are there inconsistencies? Is anything missing? Do people use it? Are they familiar with it?

We also look at policy documentation for clarity and accessibility. Are the policies clear? Are they well documented? Are they updated regularly? Are they written in a way that ensures consistent application across the organization?

Accessibility and communication are key. One of the real linchpins of the program is whether employees are aware of and able to find the RIM policy. Even in fairly mature programs, it’s not uncommon to find people who’ve never seen the retention schedule. That usually indicates there wasn’t an onboarding requirement for training.

These types of questions can reveal a lot. Are policies being enforced consistently—or at all—across departments?

We also look at disposition practices. ROT—redundant, obsolete, trivial information—is a big issue. Is there over-retention? Is anything being deleted? You can get at that through general questions, and even by asking about email. Email is a major consideration. Even if it’s not part of your formal strategy, it’s worth asking: Are records being stored in email? Are emails being deleted? Are there backlogs of records that should have been destroyed but are still stored? Are disposition practices documented and auditable?

These are just some of the questions we ask during information gathering. As you meet with people and go through these lists, you start to get a general sense of where things stand. Not every question needs to be answered in every interview, but the conversations are meant to be organic. You’ll gather more and more information as you go, and that helps inform the overall state of the program.

All right. Technology—this is a big one. There’s a lot to talk about, but I’ll keep it brief.

We got a user-submitted question: How are RIM programs addressing the shift from managing legacy paper to a vast array of software repositories that all hold digital records in different ways—most without metadata or connection to the retention schedule—and with legacy staff unfamiliar with the new systems?

That sums up a lot of what’s going on. Technology is advancing. The volume of digital records is exploding, and managing it all is becoming more challenging.

A couple of tips: prioritize key systems. Focus on where the most records are stored or on systems that are critical to business operations.

Then ask: Are there tools available in these systems or repositories to help manage records?

A good example is Microsoft 365. Purview labels have been improving. It wasn’t originally built for records management, but they’ve added features over time. It’s more robust with an E5 license than with an E3.

You can still use some of the features in E3. Use what you’ve got, recognizing that better technology and more centralized management will make things a lot easier. If you can move toward an electronic records management solution, it’s going to make a big difference—the sooner, the better.

And then there’s automation. Anything that makes things less manual helps. It reduces employee burden, improves consistency, and just makes things better.

All right, another component you’re measuring during the assessment is the records lifecycle and governance practices. It’s important to get a general idea of how records are created, stored, accessed, and disposed of across the organization. You may already have some insight into that.

Here are some typical questions we ask to help gauge this: Are records being captured in a structured and standardized way? Are there policies in place to ensure proper classification at the point of creation? Where are records stored—physically, electronically, in the cloud, or in hybrid systems?

That’s something you might be able to answer through the survey. Then we look at whether storage practices align with security and access control requirements. And how are records being disposed of? Are they being handled according to the retention schedule?

There’s some overlap in these components, but the questions help guide where you want to go. From an AI perspective, we’re also looking for information silos—areas where redundant or obsolete information is being stored.

This is really about good RIM practice. You want to eliminate situations where people are managing records locally, making them hard to access or duplicating them unnecessarily. We recently had a meeting where people kept saying, “We’re keeping copies here and here,” even though there was a centralized repository. Turns out, the system only allowed users to view records by downloading them. That explained why everyone was saving their own copies. These are the kinds of things we uncover through these conversations.

We also look at whether metadata and classification standards are being applied consistently. That’s especially important as we move toward modernization and broader technology integration. Are metadata elements—like record type, owner, and retention period—being used consistently across systems? Are records properly tagged? Is there a universal classification scheme?

In larger organizations, we sometimes find that people are creating their own policies. That’s a red flag, but also a great takeaway to address.

Another important area is audit and compliance monitoring—if your program is mature enough for that. Are periodic audits being conducted to ensure classification and metadata consistency? If audits are happening, they can reveal a lot. If not, that’s something to work toward.

These categories—lifecycle, governance, metadata, and auditing—give you insight into what’s happening across the organization. They help you understand where things are, what’s working, what’s not, and what could be improved.

Audit findings aren’t fun, but they can help justify more resources. They get attention. Still, it’s better to be proactive than reactive.

Let’s talk about risk and security quickly since we’re a little behind. The security team is an ally with overlapping objectives. They’re probably doing phishing and penetration testing. RIM can help identify vulnerabilities related to records practices.

We also assist with disaster recovery and business continuity—identifying vital records, making sure they’re protected, and ensuring there’s a plan to access them in case of a disaster.

Privacy teams are also key allies with similar goals.

They can help evaluate how sensitive, confidential, and personal information is being protected and managed. A couple of things to work toward are accurate categorization and clear processes for storing and securing records.

Also, implementing the principle of least privilege is important—something both security and privacy teams support. That means employees only have the minimum level of access needed to perform their tasks. It keeps things compartmentalized so only those who need access have it. That makes things much easier if something goes wrong, like a phishing attempt.

All right, some more assessment planning and considerations. Efficiency and process optimization may not always be the primary objective, but it’s still important. It’s often a goal for organizations during assessments.

We’re looking to identify manual, redundant, or inefficient processes that could be automated. You can start by asking: How are people searching for records? Are they having trouble finding what they need? If so, why? Is it poor indexing, metadata issues, the retention schedule, or the classification scheme?

We also assess how people are using RIM tools and whether they’re following policies. One big issue is shadow IT—when people go off the grid and use their own methods. You’ll hear things like, “We’re not using that system; here’s how I do it.” That usually means the official process is too complicated or hard to follow.

That kind of feedback can point to areas that need further development or additional training. It also gives insight into best practices for improving adoption, change management, and communication across the organization.

Finally, we look for opportunities to streamline workflows, reduce costs, and automate where possible. We’ve already talked about AI-driven classification. That’s a big one. We’ll go into more detail in our next Virtual Coffee, which will focus on technology and AI.

Machine learning for compliance monitoring and automated retention triggers are also important. And in the background, you’re always thinking about how your RIM knowledge—whether from IGP, CRM, or industry best practices—can guide process optimization. You’re measuring against that and thinking about what the roadmap and strategy should look like in your final report.

Ah yes, the dreaded management side of the CRM coming back to help us out. Flashbacks.

At the end of the assessment, you’ll want a report that includes findings, risk areas, and recommendations. One piece of advice: distill the important findings and present them in a clear, easy-to-understand way.

You can include all your supporting information—risk analysis, appendices, templates—but the actual findings and recommendations should be plain and simple. Include an executive summary and a dedicated section for findings and recommendations.

That’s a good takeaway. Over the years, we’ve seen long assessments packed with helpful content—risk sections, use cases, enforcement examples, templates—but you don’t want to bury the most important parts. The primary risks and the recommendations to address them should be front and center.

Visualizing and Presenting Information

Make sure to keep it organized and put the important aspects right up front so your team and executives can easily see what’s going on and what needs to be done.

Also, consider data visualization. These reports can be very text-heavy, so don’t be afraid to make them more engaging with colors or visuals. One tip for survey distribution: use tools like Google Forms or Microsoft Forms. You can format your questions, and the tools will automatically generate visuals—pie charts, diagrams, and other helpful graphics—from the responses.

It’s nice to dress up the report with visuals, even icons or pictures. These days, people are used to seeing graphics in everything—even reports. It helps break things up and makes the information easier to digest.

Honestly, I’ve never seen a report like this with too many visuals. Usually, there are too few. People don’t always think about how to visually represent information to make it easier to read and process. Even AI can help with that. If you have data that’s not sensitive or proprietary, you can feed it in and ask for visual representations. AI can suggest ways to present the information that you might not have considered.

Roadmap Strategy and Timeline Planning

Now, thinking about the roadmap strategy and timeline—this is just a high-level idea of how things could be mapped out. We like to create a visual roadmap. Each phase will have its own details, and you can include those in the report. But it’s helpful to have a one-page summary that lays out the roadmap clearly. Executives especially appreciate that kind of concise view, rather than digging through all the details.

For the assessment and gap analysis, two to three months is realistic for a small organization. For a larger one, it could take twice as long. It depends on how many people you’re reaching out to and how easy it is to get on their calendars. That can really stretch the timeline.

It’s always smart to be conservative with your estimates. These things often take longer than expected—especially when you’re trying to coordinate interviews and meetings.

Updating governance and framework—whether that’s forming a committee or reviewing policies—can take three to six months. Again, that’s for a small organization. Larger ones may need more time.

Technology and process optimization can take six to twelve months, depending on how many systems are involved. We’ve learned that the acquisition and procurement process alone can be lengthy, and implementation adds even more time.

Training and change management follow a similar timeline. It takes time to fully implement, but it’s important to have a solid enterprise-wide training strategy. You also need to think about onboarding, ongoing awareness, and how to keep people informed. And don’t forget—being available to answer questions is part of that process.

Continuous Improvement and Program Maturity

Then there’s continuous improvement. Once you’ve started—maybe with a pilot—you’ll want to keep checking in. Where are we now? What’s improved? What still needs work? Where are the gaps?

It’s a rinse-and-repeat cycle. These check-ins should be part of your regular process, along with auditing and monitoring. It’s all part of the bigger picture.

Always aim for continuous improvement and program maturity.

Good stuff. Did I miss anything?

I don’t think so. It’s a lot to go over, but it’s always helpful to lay it out and think about it from the ground up. It helps you get ready and see the big picture—where to start and how to move forward.

With that, I think we can go to our last slide.

And I’ve got a save-the-date. Warren’s been asking me to collaborate on a webinar. It ties back to a user-submitted question about repositories: Should the retention schedule manage the data that makes up records? Traditionally, the answer has been no. But in today’s environment, where applications are replacing traditional records, how should we approach that?

I think we covered the assessment pretty well today, Jenn. Great job. We’ll see everyone next time on Virtual Coffee. Thanks, everyone. Feel free to send us any questions if there’s anything we can clarify or help with. Thank you.

The post Revamping Your RIM Program: appeared first on Zasio.

Why RIM Matters More Than Ever

A robust RIM program is no longer a back-office function. It’s a strategic asset. Here’s why:

• Legal & Regulatory Compliance: Stay ahead of evolving mandates like GDPR, HIPAA, and SOX.
• Risk Mitigation: Avoid non-compliance penalties and minimize expensive litigation discovery, and data breach risks.
• Operational Efficiency: Cut costs, reduce redundancy, and boost productivity.
• Data Protection: Safeguard sensitive and proprietary information.
• Business Continuity: Ensure recoverability in the face of disaster.
• Informed Decision-Making: Enable fast, accurate access to critical records.
• Digital Transformation: Align RIM with enterprise content and governance strategies.

Core Components of a Modern RIM Program

The foundation of a successful RIM initiative includes six key pillars:

1. Governance: Clear documentation, structure, and oversight.
2. RIM Practices: From identification to secure disposal.
3. Work Culture: Training and awareness to drive adoption.
4. Technology: Integrated, automated systems for digital records.
5. Risk & Security: Disaster recovery and data protection.
6. Compliance: Ongoing audit readiness and legal alignment.

Assessment: The First Step Toward Transformation

A comprehensive RIM assessment is essential to identify gaps and set priorities. The webinar outlined a structured approach:

Define Objectives & Scope

• Are you addressing risk, compliance, modernization or all of the above?
• Will the assessment cover the entire organization or specific areas?

Engage Stakeholders

• Involve legal, IT, privacy, and business units.
• Use surveys and interviews to gather insights and build buy-in.

Evaluate Existing Frameworks

• Review retention schedules, policies, and classification structures.
• Assess current practices for defensible deletion and secure storage.

Analyze Technology & Systems

• Examine electronic records management systems (ERMS), and integration.
• Identify automation opportunities and onboarding standards.

Consider Risk & Security

• Pinpoint vulnerabilities in access controls and disaster recovery.
• Ensure sensitive data (PII, PHI, financial) is adequately protected.

Optimize Processes

• Look for inefficiencies, manual workarounds, and low adoption.
• Recommend streamlined workflows and cost-saving measures.

From Findings to Action: Reporting & Road Mapping

Once the assessment is complete, the next step is to translate insights into action:

• Report: Highlight risks, maturity levels, and improvement areas.
• Prioritize: Focus on high-impact, high-risk areas first.
• Roadmap: Develop a phased plan with clear milestones.

Sample Roadmap Timeline

 Final Thoughts: Start with Your ‘Why’

The most successful RIM transformations begin with a clear purpose. Whether your goal is compliance, efficiency, or modernization, aligning your assessment and roadmap with that “why” ensures relevance and impact.

If you missed the webinar or want to revisit the insights, reach out to our team. We’re here to help you build a smarter, safer, and more strategic RIM program.

Disclaimer: The purpose of this post is to provide general education on information governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Revamping Your RIM Program: A Roadmap to Resilience and Efficiency appeared first on Zasio.

The post Unlocking the Future of RIM with AI: Full Webinar Transcript appeared first on Zasio.

This article explores how leading organizations are leveraging AI to modernize their RIM programs, based on insights from Zasio’s most recent Virtual Coffee with Consulting webinar, “Unlocking the Future of RIM with AI” on May 20, 2025. | Read the Webinar Transcript

The New Information Revolution

We are in the midst of a digital and AI-driven information revolution. Organizations are not only generating more data than ever before, but they are also increasingly inclined to retain it “just in case.” As a result, this shift amplifies both the value and the risk of information. Therefore, RIM professionals are now tasked with maximizing information utility while minimizing exposure.

AI is central to this transformation. It enables organizations to extract actionable insights, automate manual processes, and ensure compliance—all while managing growing volumes of data.

Why AI Success Depends on RIM Maturity

AI thrives on clean, well-managed data. However, 44 percent of organizations still lack basic information management measures. Additionally, 52 percent struggle with data quality during AI implementation. This highlights a critical insight: mature RIM programs increase AI success by 1.5 times.

Consequently, organizations that have embraced AI in RIM report a 74 percent improvement in efficiency and a 67 percent boost in decision-making capabilities. Thus, aligning AI initiatives with robust information governance frameworks is essential.

Key AI Technologies Transforming RIM

Several AI technologies are driving innovation in RIM:

• Natural Language Processing (NLP) and Machine Learning (ML): These tools automate classification, metadata tagging, and sensitive data identification.
• Intelligent Document Processing: This extracts data from diverse formats using OCR and NLP, improving indexing and compliance.
• Robotic Process Automation (RPA): It automates repetitive tasks like scanning and categorizing documents at scale.
• Conversational AI: Tools like ChatGPT and Copilot assist with content generation and semantic search, enhancing productivity.

Notably, these technologies are already embedded in platforms like Microsoft Purview and Veeva. As a result, organizations can choose between out-of-the-box and customizable solutions.

Practical Use Cases for AI in RIM

AI is delivering tangible benefits across various RIM functions:

• Duplicate Detection and ROT Cleanup: AI identifies redundant or near-duplicate files, reducing storage costs and decluttering repositories.
• eDiscovery Support: Semantic search and concept clustering streamline legal discovery processes.
• Compliance Monitoring: AI flags unauthorized access, monitors data usage, and ensures policy adherence.
• Risk Scoring: It assesses unstructured data repositories for regulatory and operational risks.
• Enhanced Searchability: Semantic and OCR-powered search improves access to both structured and unstructured data.

Clearly, these applications are not just theoretical—they are already in use and delivering measurable results.

Governance and Cross-Functional Collaboration

Effective AI governance requires cross-functional collaboration. RIM professionals should be integral to AI governance committees. This ensures that AI initiatives align with organizational policies and compliance requirements. Moreover, business units, legal, IT, and privacy teams must also be involved to assess risks and impacts comprehensively.

In many cases, business users are best positioned to evaluate the real-world implications of AI. Therefore, their input is essential for ensuring transparency, fairness, and operational alignment.

Navigating the Regulatory Landscape

With over 1,000 AI-related laws proposed across 69 countries, regulatory compliance is a moving target. The EU AI Act, Canada’s AIDA, and emerging U.S. state laws reflect diverse approaches to AI governance. Consequently, RIM professionals must stay informed and adapt policies to meet evolving legal standards.

Furthermore, many of these laws intersect with existing data privacy regulations. For example, GDPR and CCPA both influence how AI systems handle personal data. Thus, compliance strategies must be holistic and forward-thinking.

Addressing AI Risks and Challenges

AI introduces several risks, including:

• Bias and Inaccuracy: Poor training data can lead to unfair outcomes and hallucinated results.
• Lack of Explainability: Complex models may produce decisions that are difficult to interpret.
• Operational Resistance: Cultural hesitancy and fear of job displacement can hinder adoption.

To mitigate these risks, organizations must implement strong governance, transparent policies, and continuous education. Additionally, regular audits and human oversight are essential for maintaining trust and accountability.

Policy and Retention Implications

AI-generated content, including prompts and outputs, must be evaluated for records value. Like email, transitory content may be auto-disposed. However, substantive outputs should follow established retention schedules. Many organizations are aligning AI content management with existing email policies, often setting auto-disposition periods between three months and one year.

Therefore, RIM professionals must work closely with IT and legal teams to ensure that AI-generated records are properly classified and retained.

Final Thoughts: Unlocking the Future of RIM with AI

AI is not just a tool—it’s a strategic enabler for modern RIM programs. By embracing AI responsibly, RIM professionals can enhance efficiency, reduce risk, and unlock new value from their information assets. Therefore, the time to act is now.

Disclaimer: The purpose of this post is to provide general education on information governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Unlocking the Future of RIM with AI appeared first on Zasio.

The post When Data Becomes a Record: How to Tackle the Master Data Retention Dilemma appeared first on Zasio.

That said, here’s the catch: if you’re still relying on a template or a one-size-fits-all solution, you’re not managing your records—you’re babysitting them.

Let’s break down why a customized retention schedule is, hands down, the best approach, including why templates may be unnecessarily increasing your exposure.

Generic Retention Schedules: Why Your Business Is Not a Fill-In-The-Blank Exercise

Just plug in your name, industry, and voilà—instant compliance, right? However, that’s incorrect.

Every business has its own cocktail of legal, regulatory, and operational considerations. Whether you’re governed by HIPAA, GDPR, SEC, or just trying to keep the auditors happy, a customized retention schedule speaks your businesses’ native language, or more precisely, it’s specific dialect. It doesn’t just check boxes—it translates the rules into actions that make sense for you.

Templates give you vague generalities. Customized schedules give you peace of mind.

You Can’t AI Common Sense

Sure, a template might tell you to keep invoices for seven years. But what if you operate in three countries with different tax laws, or in California? Or your finance team relies on certain records to model future trends?

A tailored schedule digs into the nitty-gritty:

• What does your business actually produce?
• Who touches the records?
• How do workflows and processes vary by department?
• What will work for users so it can be implemented?

Templates don’t know about details like the implications of storing electronic pay slips in France, or that your HR Management application can’t delete information about active employees. Custom schedules do.

Hoarding Is Not a Compliance Strategy

A one-size-fits-all approach almost always errs on the side of “keep longer,” because generalizing prohibits detailed accuracy. But that bloated database full of stale, unnecessary records is a ticking liability creating:

• Bigger breach target
• Time-consuming searches
• Pricier storage
• Slower systems
• Painful e-discovery
• Privacy sanctions

A customized schedule knows what to keep, what to toss, and when to do it—no guesswork, no digital junk drawers.

Your Business Changes. Your Schedule Should Too.

Maybe you’ve merged, expanded globally, gone paperless, or started using AI to enhance processes. Your operations evolve—and a static template won’t evolve with you.

A custom retention schedule can be agile and is more durable. It covers more initially, and grows with your systems, people, and compliance requirements. Think of your customized records retention schedule as a living document, not a relic gathering dust in your shared drive.

People Actually Use Things That Make Sense

Let’s be honest: no one’s reading that 80-page generic retention policy with joy in their heart. If you want employees to follow it, it has to feel relevant. And employees who help build it are natural champions for it.

Custom schedules:

• Use your org’s terminology
• Fit into your actual systems and processes
• Make it easy to understand who’s responsible for what
• Lower a top hurdle- implementation
• Already have buy-in and promotion from those who collaborated to create it.

If your retention rules are intuitive, they’ll be followed. If they’re written in legal groupings from 2015, or by AI, they’ll be ignored—it’s as simple as that. And we all know that having a policy that’s ignored creates unnecessary risk, as there is documented proof that you know better.

Bottom Line: Templates Are for 3D printers. Not Compliance.

If you want your records retention strategy to be more than a liability—if you want it to reduce risk, cut costs, and support your business long-term—you need a customized records retention solution. Not a borrowed template with your logo slapped on it.

Don’t settle for sub-average and un-implementable. Your records (and your legal team) will thank you.

Want help designing a retention schedule that actually works for your organization? Zasio can help. We’ll build something that fits like a glove—and keeps your digital house in order. Zasio’s Consulting experts leverage their top industry certifications combined with legal licensures and decades of experience to efficiently collaborate with stakeholders to collect information and build customized records retention schedules specifically designed for each client.

Disclaimer: The purpose of this post is to provide general education on Information Governance solutions. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Template Schmemplate: Build a Customized Records Schedule That Actually Works appeared first on Zasio.

Most people think of fines—which is usually the case. For instance, the SEC recently fined multiple firms (including multiple Wells Fargo related firms) $549 million for poor recordkeeping.[1]

But sanctions take other forms as well. Businesses and entities of all kinds should be aware of these sanctions to proactively tailor their records information management practices. This article discusses examples of the most common sanctions and what your organization can expect from them.

FINES

Simple fines are the most common record keeping penalty. Amounts can vary, but here are some heftier examples:

GDPR (EU) Maximum Fine: €20 million, or 4% of annual worldwide turnover, whichever is greater.[2]

U.S.: Recordkeeping penalties for failure to properly maintain and provide customs related documents start at $10,000 per violation and can go up to $100,000 per violation, depending on the level of culpability.[3]

China: Failure to prepare or keep customs declaration documents, import or export documents, contracts, other materials directly related to the import or export business subject to a fine of not less than 10,000 yuan but not more than 500,000 yuan. If the circumstances are serious directly responsible persons in charge and other directly liable persons shall be subject to a fine of not less than 1,000 yuan but not more than 5,000 yuan.[4]

While these examples are steeper examples, most jurisdictions crack down via fines for record keeping violations, meaning that even smaller fines can add up to hinder any business.

PENALTY UNITS

Penalty units are simply a way of measuring fines. For example, if a penalty unit is worth $100, then a violation worth 10 penalty units totals $1,000.

Australia uses penalty units—and even within Australia, amounts differ. For instance, in Tasmania, a penalty unit is worth $202,[5] but in Queensland, a penalty unit is worth $161.30.[6] The rationale behind this practice is practical: penalty units allow simplicity in defining fine amounts given constant changes in the law and inflation.[7]

Additionally, penalty units allow easy comparison between how sanctions relatively affect corporations and individuals. For example, Tasmanian electrical workers must keep a record of any work performed for 10 years after. If a corporation doesn’t meet this requirement, a fine of 50 penalty units is incurred. However, if an individual fails to keep this requirement, the fine is only 25 penalty units.[8]

PROFESSIONAL SANCTIONS

In many professions, poor record keeping can affect your standing, especially where licensure is required.

For instance, in Nova Scotia, Canada, a denturist can be found guilty of professional misconduct for simply failing to “maintain adequate records.”[9] More severely, insurance agents in California can have their license revoked entirely for not keeping required records.[10]

Paying a fine is a hassle, but losing one’s means—even temporarily—of making money is usually worse.

IMPRISONMENT

In certain cases, jail or prison can be on the table for not keeping proper records. Outright fraud can result in imprisonment (Enron, anyone?), but poor record keeping does not need to be fraudulent in nature to result in prison. For instance, Idaho pharmacists who fail to keep required records can be guilty of a misdemeanor carrying a sentence for a term not to exceed one year in county jail.[11]

Of course, punishments like these are rare. However, even a remote possibility of prison is enough of a headache. Further, there is no way to truly quantify the damage such a scenario would bring to the reputation of a business—shareholders, clients, and potential business partners alike may take note and act accordingly.

A ROCK AND A HARD PLACE

RIM professionals have a dual interest in creating a retention schedule—strategy and compliance. A business bogged down with unnecessary records creates a cluttered environment, potentially exposing the business to disarray and other pitfalls such as the sanctions discussed here. Simultaneously, businesses have an obligation to adhere to record retention periods set by law. Retention schedules help balance both interests.

Sanctions for poor record-keeping practices are very real, but the solution is simple: enterprises should be aware of these sanctions, form a sound records retention schedule tailored to their needs, and adhere to it. Doing so is a way of “showing your work” behind a thoughtful records and information management program, which is a key step towards ensuring neither you or your organization becomes the subject of records practices-related sanctions.

[1] Amazon faces record GDPR fine, (August 2, 2021) https://www.simmons-simmons.com/en/publications/ckrus16301do70a28ptvwqy5t/amazon-faces-record-gdpr-fine

[2] https://gdpr.eu/fines/

[3] 19 CFR 163.6

[4] Regulation on Customs Inspection (2016 Revision)(31)

[5] https://www.justice.tas.gov.au/about-us/legislation/penalty-units-indexed-amounts

[6] https://www.qld.gov.au/law/fines-and-penalties/types-of-fines/sentencing-fines-and-penalties-for-offences

[7] https://en.wikipedia.org/wiki/Penalty_unit#:~:text=A%20penalty%20unit%20(PU)%20is,units%20prescribed%20for%20the%20offence.

[8] Tasmania Occupational Licensing (Electrical Work) Regulations 2018 (14)(1)(p2)

[9] Nova Scotia Denturist Regulations (30)(1)(f)

[10] Cal Ins Code 1747 (p1)

[11] Idaho Code 54-1732(3)(e)

Disclaimer: The purpose of this post is to provide general education on information governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Sanctions: The Repercussions of Poor Recordkeeping appeared first on Zasio.