Digitise \ Capture \ Integrate

020 7732 3223
Contact Us

From Filing Cabinet to Lifecycle: What Records Management Actually Means in 2026

Alasdair Ebeling

Alasdair Ebeling

Contact the Digital Transformation Experts

Ready to start your digital transformation journey? Contact Dajon today for a free no-obligation consultation!

Contact Us

Try this. Ask ten senior managers in your organisation what records management means.

Nine of them will describe a storage problem. Documents take up space. Space costs money. Some of those documents have to be kept for a defined period; others can be destroyed. Records management is the function that decides which is which, and where the keepable ones live in the meantime.

The tenth will describe a governance problem. Records are evidence of how the organisation conducted itself. They support decisions, demonstrate compliance, and protect the business if those decisions are later challenged. Records management is the function that ensures those records are authentic, complete, accessible, and disposed of appropriately when their job is done.

The gap between those two answers is the single most important issue in records management in 2026. Three forces – regulatory, technological and organisational – are making the storage model unsustainable. Records and Information Management Month is the right moment to ask which model your programme actually runs on.

What records management is supposed to be

The governance framing isn’t novel. It’s been the international professional consensus for the better part of three decades.

ISO 15489, first published in 2001 and revised in 2016, is the international standard for records management. It defines the function as ensuring that “authoritative evidence of business is created, captured, managed and made accessible to those who need it, for as long as it is required”[1]. The phrase that does the work there is “authoritative evidence”. Records aren’t filed because they take up space; they’re managed because they prove things.

ARMA International, the global professional body for records and information management, makes the same argument in more accessible language through its Generally Accepted Recordkeeping Principles (GARP). The principles cover accountability, integrity, protection, compliance, availability, retention, disposition and transparency – none of which are storage concerns[2]. They’re governance concerns that happen to involve documents.

In other words, the standards have been clear for twenty-five years. What’s lagged is the operational reality.

What records management usually is in practice

Most UK records management programmes, including those at large regulated organisations, run a storage model in everything but name.

The programme maintains a file plan and a retention schedule. Both are documented. Both are reviewed periodically. Both have been signed off by someone senior. The programme pays a third-party provider for archive storage – paper boxes in a secure facility, with a barcode reference and a retrieval service. When records reach the end of their retention period, the third party processes destruction on request and issues a certificate.

What the programme doesn’t do is classify records at the point of creation. New records arrive in shared drives, email, collaboration platforms and line-of-business systems without metadata, without consistent naming, and without any signal indicating which retention rule applies to them. The programme doesn’t enforce retention in those systems – the policy says records should be disposed of after a defined period, but the shared drive contains everything that was ever placed on it. The programme has no operational role when a subject access request lands, when a regulator asks for evidence of a decision, or when a litigation hold needs to be applied. It produces boxes when instructed.

This isn’t a programme failing at its own remit. The remit itself is the problem.

The lifecycle as it’s actually lived

A governance-model records programme works to a lifecycle considerably broader than creation–use–disposition. The expanded lifecycle now in common use includes capture, collaboration and version control, active use, retention and storage, holds and discovery, and disposition[3]. Each stage represents a governance decision a storage-model programme isn’t structured to make.

Capture is the moment a record enters the estate. A storage-model programme has effectively no involvement here – records arrive in whatever shape and format they were created in. A governance-model programme applies classification and metadata at capture, because retrospective classification at scale is prohibitively expensive. This is where digitisation projects with OCR and structured metadata pay back many times over, because they convert a passive archive into a searchable asset.

Collaboration and version control is the stage at which records are edited, commented on, approved or superseded. Every change is a governance question – which version is authoritative, who approved it, what the previous version said. Storage-model programmes typically treat all versions as records, which is both expensive and unhelpful when someone needs to know what the agreed position actually was. Governance-model programmes distinguish the canonical record from its drafting trail.

Active use is the phase most programmes understand instinctively. Records are referenced, cited, used in decisions. The governance question here is findability on the terms the business actually uses – a finance team that searches by supplier name doesn’t benefit from a records system organised by document type.

Retention and storage is where storage-model programmes concentrate their effort. Boxes go to the archive; digital records sit on a server somewhere. Governance-model programmes do something different: They enforce retention rules in the systems where records live, rather than merely publishing them in policy documents. The distinction matters because policy without enforcement produces estates that hold records past their retention period and lose records before it.

Holds and discovery is the stage that exposes most storage-model programmes. When litigation, regulatory investigation or a subject access request lands, ordinary retention rules pause. Records relevant to the matter must be preserved, including records that would otherwise have been disposed of. Storage-model programmes typically learn about this after the fact, when the legal or compliance team has to scramble to suspend deletions across multiple systems. Governance-model programmes can apply holds in real time, with audit logs that prove they did.

Disposition is not just deletion. It’s documented, authorised, and evidenced. A governance-model programme can prove what was destroyed, when, on what authority, and to what standard. A storage-model programme generally can’t go further than the destruction certificate from the archive provider – which, if challenged, doesn’t address the records that were never sent to the archive in the first place.

Read together, these stages describe a programme of substantially greater operational depth than a storage-model approach can deliver. The depth isn’t optional. It’s what makes the function defensible when it’s tested.

Why the storage model persists

Three honest reasons explain why so many programmes have stayed with the storage model long after the standards moved on.

First, it’s cheaper to run – or appears to be. Storage costs are visible: lines on an invoice from a third-party provider. Governance costs are distributed across every part of the business that can’t find what it needs, can’t apply a hold quickly, can’t evidence a decision under audit, or can’t respond to an SAR within thirty days. Distributed costs don’t show up on records management line items, which makes the storage model look efficient on paper.

Second, it’s organisationally simpler. Storage can be outsourced. Governance cannot. A governance-model programme requires sustained engagement from HR, legal, IT, compliance and operations, and it requires those teams to agree on classification, retention and access. That coordination is hard, and it competes for executive attention with everything else those teams are doing.

Third, the storage model is legible to senior management. You can point at an archive. You can quantify it. You can show how many boxes went in, how many came out, how much space was reclaimed. You can’t point at a governance maturity level. You can’t quantify the SAR you would have failed to meet had the records not been classified properly. You can’t show the litigation that didn’t happen because records were defensibly disposed of three years ago.

These are real reasons, not bad ones. But the conditions that made them defensible are changing.

The three forces making 2026 different

The regulatory force is the most visible. The Data (Use and Access) Act 2025, which became law on 19 June 2025, codified the existing case law around “reasonable and proportionate” searches in response to subject access requests, and introduced a stop-the-clock provision for cases where a controller is waiting for clarification from the requester[4]. Codification raises the bar – an organisation defending its search methodology now has to defend it against a statutory standard, not a judicial one. The ICO’s enforcement record over the past two years has demonstrated that the regulator will use reprimands, and on at least one recent occasion personal criminal prosecution, against organisations and individuals who can’t meet the requirements. Continuous compliance has replaced point-in-time audit as the governing expectation, and continuous compliance is incompatible with a programme that only acts when asked.

The technological force is the rapid mainstreaming of AI in regulated business processes. ISO/IEC 42001:2023, the first international standard for AI management systems, makes recordkeeping a foundation requirement for AI governance – AI systems must be able to produce documented training-data records, decision logs, model-version histories and deletion evidence to be auditable[5]. An organisation that wants to deploy AI responsibly cannot do so on top of an ungoverned records estate. The records management programme stops being a back-office function and becomes the substrate on which AI governance is built. We’ve covered the AI readiness implications elsewhere on this blog.

The organisational force is the most diffuse but in practice the most consequential. Hybrid working, cloud migration and the proliferation of collaboration platforms have distributed records across an estate that no storage-centric programme can track. Records now live in Microsoft 365, Google Workspace, Slack, Teams, Salesforce, line-of-business systems, personal devices and third-party platforms accessed through SSO. The organising question has shifted from “where is this held?” – answerable for a paper archive – to “what do we know about what we hold?” – answerable only by a governance-model programme.

The three forces don’t operate independently. They compound. An organisation trying to respond to a 30-day SAR using AI-assisted retrieval across a hybrid cloud estate needs all three axes working at once. The storage model can’t get there from here.

A brief word on maturity

ARMA’s Information Governance Maturity Model offers a useful diagnostic. It defines five levels, from Level 1 (sub-standard – records handling is ad hoc, with no defined policy) through Level 3 (essential – meets minimum legal and regulatory requirements) to Level 5 (transformational – records management is integrated into strategic decision-making)[2].

The honest use of the model isn’t to aspire to Level 5. It’s to ask where your programme actually sits. Most regulated UK organisations believe they operate at Level 4 or 5. In our experience, many actually operate at Level 2 or 3 – meeting the essential minimum, perhaps, but a long way short of integrating records governance into business decisions. The diagnostic value of the model lies in surfacing that gap.

A useful version of the question to put to your own programme is: If we had to evidence our records management practice to an external auditor tomorrow, against the GARP principles, what would we be able to prove? Not what would we be able to claim. What would we be able to prove?

What to do with this

Records and Information Management Month, observed every April, is the right moment to ask the question honestly. A governance-model records programme doesn’t need to be built overnight, and few organisations have the appetite to attempt it overnight. But the destination needs to be recognised before any of the steps toward it make sense.

For most organisations, the first move isn’t a system procurement. It’s a gap analysis against a recognised maturity framework, applied initially to a single high-risk record class – personnel records remain a strong candidate, for the reasons we’ve explored elsewhere – and worked outward from there. The gap analysis surfaces the practical priorities: which records need to be digitised with searchable metadata, which legacy systems need migrating into governed environments, which retention rules need enforcement infrastructure rather than just policy text, and which functions need to agree shared playbooks for capture, holds and disposition.

Dajon helps regulated organisations make those moves. Not through a single procurement event, but through the sustained work of converting a storage-model programme into a governance-model one – starting with the records estate as it actually is, and building toward the function that the standards have described all along.

References

  1. ISO 15489-1:2016 – Information and documentation – Records management ISO[]
  2. Generally Accepted Recordkeeping Principles Wikipedia[][]
  3. Information Governance and the Records Lifecycle The Texas Record[]
  4. Data (Use and Access) Act factsheet: UK GDPR and DPA GOV.UK[]
  5. Integrating ISO Records Management Standards with ISO/IEC 42001:2023 Meta Archivist[]

Related posts

Data Management in Wealth Management: Competing in 2026
What Data Management Will Really Look Like in 2026
Digitisation: A Guard Against Lost Time
Why Does Master Data Still Become Inconsistent, Even in Integrated Systems?
Data Management in Construction: Building a Smarter 2026