You might think keeping every document your organization has ever created forever is the safe choice. Spoiler alert: it’s not.
A document retention policy tells your organization what to keep, for how long, and when to destroy it. The IRS Form 990 specifically asks whether your organization has one. Answering “no” won’t cost you your tax-exempt status, but it potentially signals weak governance and could lower your charity watchdog ratings.
The “what to keep” part of these policies is driven by legal requirements. The IRS requires organizations to maintain records supporting their Form 990 for at least three years from the filing date, and six years if there’s a risk of underreported income. Employment tax records need to be kept for four years.
If you receive federal grants, the Uniform Guidance requires you to retain award records for three years after your final financial report, and longer if there’s pending litigation or an audit.
Certain documents, like articles of incorporation, board minutes, IRS determination letter, and tax returns, should be kept permanently. State law adds another layer; D.C., for example, requires nonprofits to permanently keep board minutes and records of all actions taken.
There can be real liability in keeping documents too long. When it comes to records your organization is no longer required to maintain, if you destroy documents on a regular schedule pursuant to a written policy, in the ordinary course of business, that’s defensible. If you keep everything forever and then selectively delete files when a problem surfaces, that can look like obstruction. A retention schedule protects you both ways: it ensures you keep what you need, and it generally gives you a legitimate reason to destroy what you don’t.
There’s also the discovery problem. In litigation or a government investigation, everything you’ve retained is potentially discoverable. That offhand Slack message from 2019? That draft memo someone never finalized? If it still exists, it can be requested and used against you.
In today’s largely remote world, where cloud storage is relatively cheap and essentially unlimited, the default for most teams is to keep everything. Slack channels accumulate years of messages. Asana boards hold every comment on every task going back to the organization’s founding. Google Drive folders grow endlessly because nobody wants to be the person who deleted something important. For remote teams, these tools are institutional memory, and staff resist any suggestion of cleaning them out.
That’s understandable, but it creates real exposure. All of that data is discoverable, and all of it is subject to litigation holds. If it contains donor information, all of it also falls under your data privacy obligations. A good retention policy addresses digital tools specifically: how long Slack messages are retained before auto-deletion, when completed project boards get archived and purged, and who is responsible for periodic cleanup of shared drives. The policy should also include a litigation hold protocol so that when a legal matter arises, routine deletion stops immediately.
Speaking from my own in-house experience, the hardest part of a retention policy isn’t deciding what to keep—it’s convincing your team to let go of the rest.
