When it comes to retaining data, the idea of keeping everything has been realised as more often a risk than an asset today. With aspects such as regulatory scrutiny under GDPR reaching record levels, and the enforcement of the EU AI Act introducing a formidable new layer of governance requirements, the nature of records management is certainly changing.

For data practitioners, this can mean a few things. This article explores the critical role of records management in reducing modern data risk, the systemic costs of organisational neglect, and tips for transitioning toward a defensible, manage-in-place future.

The 2026 picture: why the stakes have changed

For years, the data community viewed regulatory compliance as simply something to be cleared during project launches or audit cycles. However, as we move through 2026, sentiments do seem to be shifting as data risk becomes high-velocity and high-cost. The time of keeping everything ‘just in case’ is over, replaced by a climate where over-retention is a primary liability. 

Data from The International Lawyer’s Guide to Data Privacy Laws in 2026 (Kiteworks, 2026) confirms what perhaps many have felt: GDPR enforcement has evolved from sporadic penalties into something a little more relentless. Cumulative fines have now surpassed the €7.1 billion mark. Perhaps more tellingly, over 60% of this total value has been imposed since January 2023, with approximately €1.2 billion issued in 2025 alone. While the Irish Data Protection Commission continues to lead in aggregate fines, hitting over €4 billion due to its oversight of major tech hubs, the enforcement map is widening. We are seeing a significant uptick in penalties across the finance, healthcare, and public sectors.
 

A new layer of risk

For data practitioners, the focus is now split. While continuing to comply with GDPR, many are also now preparing for the EU AI Act, which reaches full enforcement for high-risk systems in August 2026. This creates a double penalty landscape. The AI Act introduces a second layer of sanctions that can reach 7% of global annual turnover, surpassing the 4% threshold we have become accustomed to under GDPR. This means that records management is about the provenance of the datasets used to train, tune, and run AI models.
 

Records management for risk reduction

While the vast volume of data available in 2026 is a significant asset, it can also be seen as a double-edged sword. For many organisations, the initial excitement of data-driven insight has been replaced by the reality of drowning in data. Therefore, data practitioners must recognise that data is only an asset if it is retrievable, accurate, and legal to hold.

A strong Records Management (RM) framework works towards converting raw data into a governed, secure asset. According to @Securiti, it does so in the following ways:


  • Operational efficiency: By implementing clear taxonomies and automated indexing, organisations can reclaim the 20% of the workweek typically wasted on internal resource hunting.
  • Defensible security: RM aligns with privacy-by-design principles. By categorising data by sensitivity, we can apply targeted security controls, such as encryption and strict access logs, where they are most needed.
  • Financial optimisation: Unmanaged data is a hidden cost. RM allows professionals to identify and securely dispose of ROT (Redundant, Obsolete, and Trivial) data, drastically reducing storage overheads and cloud infrastructure costs.
  • Business resilience: Systematic record-keeping is the foundation of continuity. Organisations with digital RM systems adapted far more effectively to the remote shifts of the 2020s because their institutional memory was structured and accessible.

The cost of neglect  

In light of big data, many organisations have operated under the mantra that more is better, stashing away every byte of information they can in cloud storage and backups. However, contrary to what was previously thought, it now appears that holding onto lots of data for a long time can prove risky.

Why do failures persist?

There can be barriers to entry, most notably in the form of the complexity of Mergers and Acquisitions (M&A), where organisations inherit legacy systems and dispersed data stores without proper remediation. Additionally, there is the policy-to-practice breakdown, where many firms have a PDF policy but lack the tools to enforce it across unstructured data.
 

What next?

Many of the most resilient organisations have moved away from legacy archiving, which is the practice of moving data to secondary silos. They often do this in favour of a manage-in-place strategy instead. By governing records directly within source systems, it can eliminate the security vulnerabilities created during data transit and reduce the risk of shadow archives. This approach ensures that data governance policies follow the data throughout its lifecycle, rather than being applied as an afterthought in a disconnected repository.

Central to this modernisation is the move toward AI-driven classification. Relying on manual user tagging or rigid, keyword-based rules is becoming a thing of the past. Intelligent automation, such as large language model use, allows practitioners to manage the unstructured nature of much of the data businesses are dealing with today. It effectively bridges the gap between policy and practice, ensuring that retention schedules are enforced at the speed of business.

Furthermore, records management has become an essential pillar of the growing zero-trust architecture. While it was once enough to simply delete data at the end of its life, it is often now thought that, in additional to this, the data must also be resticted in exposure as its business value wanes. By integrating Records Management (RM) with Identity and Access Management (IAM), professionals can implement ‘least privilege’ for aging records.

This means that, as a document enters its semi-active phase, access permissions should automatically rotate, ensuring that only the most essential personnel can view it. This reduces the blast radius should a breach occur, protecting sensitive records that are being held purely for regulatory reasons.

Actionable steps for data practitioners

For professionals looking to reduce data risk through better records management, here are a few immediate priorities to consider:

  • Identify where records are being moved to secondary archives and evaluate whether a manage-in-place API integration could replace these high-risk transit routes.
  • Start by applying AI-driven classification to one high-risk data stream (e.g., legal department emails) to test the accuracy of automated retention tagging against your existing manual policies.
  • Review your semi-active records and implement automated access downgrades. Ensure that archived data is not automatically accessible to the whole organisation.
  • Establish a centralised, immutable log for AI training sets and algorithmic impact assessments. This should be treated as a permanent record, separate from the data used in the models themselves.
    •  

Ultimately, reducing data risk is not about the volume of information held by an organisation, but the precision with which its lifecycle, from creation to defensible conclusion, is managed.
 
Sources:
https://www.kiteworks.com/gdpr-compliance/gdpr-fines-data-privacy-enforcement-2026/
https://www.datadynamicsinc.com/blog-beyond-the-box-why-keeping-everything-forever-is-your-biggest-records-retention-risk/
https://www.accesscorp.com/blog/the-five-risks-of-poor-records-management/
https://securiti.ai/what-is-records-management/
https://www.isaca.org/resources/news-and-trends/industry-news/2025/the-legal-and-regulatory-risk-of-data-overretention
https://www.cloverdx.com/blog/6-major-data-management-risks-and-how-to-tackle-them

Log in | Powered by White Fuse