When there is no available law or regulation to set a retention rule for records and data, many organizations fill in this gap by applying a limitation period as the retention rule. However, broadly applying this approach presents the risk of over-retention, and forgets the basis for using limitation periods in the first place.
Rather than applying limitation periods by rote, organizations should conduct a risk-based analysis to determine whether there is a material risk of dispute in this area.
In Connect on Tech, Lisa Douglas and I wrote about using a risk-based approach for limitation periods, and other things to consider when applying limitation periods in an information governance retention program. While organizations may not always want keep information for the full extent of the applicable limitation period, the best practice is to apply limitation periods where there is a significant risk of claims.
Limitation periods should be applied where there is a logical link between the type of information and the potential claim. Where there is no material risk of a dispute or legal proceedings, there is no reason to apply a limitation period as a default retention period.