# Best Practices for Creating or Updating a Retention Schedule Whether your organization is looking to create a retention schedule from scratch or updating an existing one, there really isn’t much of a difference in terms of effort required. The first step of tackling the creation or revision of a retention schedule is research. That means understanding the following questions: For more at [Records retention schedule RRS.](https://www.accuracysoftware.ca/how-to-create-a-sound-rrs/)  What existing laws are we subject to? What new laws recently passed that we will be beholden to in the future?  What jurisdictional requirements by country/by state are we subject to? What new laws are being considered that we could need to incorporate? You’ll notice that three of those four questions are not static answers—they will continue to change and evolve over time. Creating a retention schedule is competing in a sport where the rules change constantly. To put this in perspective, Access’ software solution Virgo’s database contains retention policies for 140 countries and contains over 200k citations… but continues to grow and change by the day. Therein lies the challenges that many organizations are faced with – keeping up with change and having the resources to act when required.  The current focus on privacy and expansion of privacy laws across the globe has made maintaining or updating a retention schedule more complex than ever.  Likewise, there is a new degree of sophistication needed for organizations to comply with retention and disposition laws. The potential for litigations, discovery, investigations, and audits demand defensibility. The stakes are high when it comes to compliance. You can’t just pay lip service to retention – you have to follow through and be able to back it up. This is why organizations need a retention schedule that can be referenced in case they need to justify why a record was (or wasn’t) destroyed. Here’s a simple example: In the U.S., the record of termination of an employee must be retained for 40 years. At the same time, it contains conflicting PII which must be destroyed within a much shorter period depending on the record type. With so many requirements that are often in conflict, it usually results in keeping a record too long rather than destroying it too early. According to a survey of information security, compliance, and privacy professionals across 50 of the most respected companies headquartered in the U.S., over-retention (not early destruction) of information is a top concern. If you’re looking to leverage a technology solution that will enable you to create, maintain, or update a retention schedule, then it should be able to do the following: For more at [Records retention schedule RRS.](https://www.accuracysoftware.ca/how-to-create-a-sound-rrs/) Provide a single source of truth for privacy and retention .Allow your organization to meet the best practice of updating annually .Be legally defensible in the case of e-discovery, policy audits, and defensible destruction .Inventory the information that needs protection .Include privacy requirements .Be agnostic to what medium the record is in  .Building a schedule or records retention program is just the beginning. Maintaining compliance, with constant changes occurring, is another. Refreshing a retention schedule in the United States alone is a substantial lift because new laws are passed daily. As mentioned on the recent live Access webinar, “We ran a calculation in our Virgo database and there are approximately 200 updates to retention requirements per day.