View all articles | Read the next article 

The corporate world is seeing an interesting shift: increasingly, corporate compliance teams are being handed ownership of records management programs. This might raise a few eyebrows. After all, records management has traditionally been run by the legal department, often as a component of legal or regulatory compliance. Legal teams historically oversaw records retention schedules and policies, given their focus on meeting regulatory requirements and preparing for litigation. So why are compliance teams now being tasked with this responsibility, and are they the right group to run these programs? The short answer is, yes. The reasons lie in the dramatic changes in records management needs and practices over the past five to 10 years.

Records management’s changing landscape

Not long ago, records management was a somewhat narrow function: ensure the company keeps the required documents (for the required time) and tosses the rest. That mission was largely driven by legal mandates: think regulations requiring seven-year retention for certain financial records. The job often fell to legal or dedicated records managers, and processes were manual and paper-centric. But the world has changed. Most records are born digitally. Yet, many traditional records retention programs were built for a paper world with filing cabinets and boxes in storage. Old approaches haven’t translated well to the digital deluge of emails, shared drives, databases, and cloud content. Those manual, paper-based processes were not conducive to managing today’s high volume of electronic information.

Employees simply do not (and realistically cannot) follow archaic schedules spanning thousands of record types across dozens of pages. The result is that policies get ignored and compliance suffers.

It’s not just volume and format that have changed. Records management now impacts many areas of the business, far more than it did when it was purely a legal compliance exercise. Poor records practices can slow down or derail eDiscovery in litigation, violate privacy laws, bloat IT storage costs, and impede employees’ access to the information they need to do their jobs. In short, the scope of what a records management program must handle has exploded. This expanded scope has revealed that sticking to the old legal department playbook isn’t enough; organizations are finding they need to modernize their records programs to keep up with new demands. The very term “records management” is evolving. Many companies are morphing their records programs into more comprehensive “information governance programs” that address the full lifecycle and value of information, not just its retention limits.

Beyond legal requirements: Business value and data minimization

One reason for the shift in ownership to compliance is that modern records management programs are no longer about only ticking off legal and regulatory checkboxes. Yes, compliance with laws remains fundamental. Any good retention schedule must still meet federal, state, industry, and international recordkeeping mandates. But effective programs today also focus on managing the business value of information, not just its legal requirements. In practice, that means working with business units to determine what documents and data have ongoing operational, strategic, or historical importance to the company. Modern policies explicitly include categories of records that may not have a law telling you how long to keep them, but which you retain because they’re vital to running the business or safeguarding intellectual property. This is a big departure from the past, when if something wasn’t legally required, it might not be formally recognized in the retention schedule at all.

At the same time, organizations face growing pressure to not keep data longer than necessary, especially personal data. Privacy regulations worldwide — from the European General Data Protection Regulation (GDPR) to U.S. state privacy laws — mandate data minimization, essentially requiring that personal information be retained only for as long as there is a legitimate business need. This creates a new layer of complexity on top of records retention requirements. Often, privacy rules say, “Delete data as soon as you can,” whereas other laws say, “Keep records for at least X years,” and business teams say, “We find value in keeping data longer.” These conflicting pressures can paralyze a traditional records program. The modern solution is to synchronize records retention with privacy requirements, largely merging the two into a cohesive data retention policy that balances both needs. Rather than having a separate “privacy deletion policy” and a “records retention schedule” at odds, leading companies integrate them. In fact, what one organization calls a “data retention policy” might be fundamentally the same as another’s “records retention schedule.” The label is less important than the policy, being both records-enabled and privacy-enabled.

Modern records management programs are no longer about only ticking off legal and regulatory checkboxes.

This blended approach ensures that when you set a retention period, you consider legal obligations, business value, and privacy obligations all at once. For example, if the law says keep customer contracts for seven years, but privacy principles say delete personal data when no longer needed, a privacy-enabled records program might still keep those contracts for seven years (to meet legal and business needs) but ensure they are disposed of after that, and perhaps justify why even seven years is necessary for business purposes. The end goal is a policy that prevents both under-retention and over-retention: you keep everything you truly need (by law or business value) and defensibly dispose of the rest, with documented justifications for personal data retention. This approach satisfies regulators, reduces privacy risks, and sheds data clutter.

There are very practical benefits here. Eliminating unnecessary records reduces eDiscovery burdens and storage costs — two concerns that resonate with both legal and IT departments. Companies drowning in legacy emails and documents struggle when that data is subject to litigation discovery: more data means more to search, review, and potentially expose in court. By curbing “save everything forever” habits, a modern records program helps limit the volume of data that could become evidence in a lawsuit down the road. It also directly cuts storage and backup costs by getting rid of ROT (redundant, obsolete, trivial data). In short, data minimization isn’t just a privacy mantra; it’s also smart records management and good business.

From records management to information governance

As organizations broaden their approach, many find that traditional records management is transforming into a broader information governance initiative. A records retention schedule used to be a standalone tool listing what to keep and for how long, mainly for compliance purposes. Now, it is often the backbone of a larger information governance framework. A modern, well-crafted retention schedule provides the foundation for an effective records and information governance program. It not only guides compliance with laws but also feeds into downstream processes like eDiscovery, privacy response, and even knowledge management.

Think of some areas now connected to records management. Litigation preparedness is one; your program must coordinate with legal holds (when the legal team says, “Stop deletion, we might need these records for a case”). Data privacy is another. As discussed, your retention rules need to dovetail with data minimization mandates. Operational knowledge management is yet another: employees need quick access to high-value information without wading through mountains of outdated junk. A forward-looking records program can even impact emerging technology initiatives. For instance, many companies are exploring generative AI and large language models to leverage their data. But an AI is only as good as the data it’s trained on. Increasingly, records and information governance teams are being called upon to ensure data quality for AI, meaning that the information fed into AI systems is accurate, current, and scrubbed of unnecessary or sensitive content. (The adage of “garbage in, garbage out” applies here: if your records repositories are full of garbage, your AI will gladly learn from that garbage.) Ensuring the organization’s data is well-managed and curated has become critical for those looking to responsibly deploy AI tools.

All these facets (legal holds, privacy, business value, knowledge management, AI data quality) fall outside the narrow scope of old-school records management. They are squarely in the realm of information governance, which is a cross-disciplinary effort. It’s no wonder that a purely legal department approach might struggle to cover all these bases. Information governance requires coordination across legal, IT, privacy, security, and business units. It’s about managing information risk and value holistically. This is where compliance teams enter the picture.

Designing a modern records program

Given the new objectives, modern records programs need to be designed differently from their predecessors. We’ve touched on some differences: integrating privacy, incorporating business value, and handling electronic data at scale. But what does a modern records management policy or schedule actually look like?

For one, it should be practical and user-friendly. Traditional retention schedules were often overly long and confusing, full of legal citations and cryptic codes that made sense to records managers but not to everyday employees. That doesn’t fly anymore. Today, the emphasis is on clarity and intuitiveness: use plain language and make sure people can actually figure out what a record is and how long to keep it. If you expect employees to follow the policy, they need to understand it. For example, instead of listing a retention rule as “ACT + 7” (where ACT means active), a modern schedule would say, “Keep seven years after contract termination.” This is straightforward enough for anyone to grasp. Modern programs also recognize that records can be in any format or system. Rather than focusing only on paper or treating email or chats as out of scope, the policy must account for all media. A mature approach is medium-agnostic: a crucial decision or approval might be in an email, Slack message, Word document, or paper memo. The format doesn’t change its value.

Including all information types across all repositories is essential, from structured databases to unstructured files to social media content.

Engaging the business is another design principle. Old programs often failed to involve business units in setting retention rules. Instead, these were drawn up by legal or records managers in a vacuum. Modern best practice is to build consensus with business stakeholders on what should be saved and what can be deleted. Why is this so significant? Because when it comes time to actually delete data (to enforce the schedule), business units will resist if they don’t trust the rules. By involving them early, understanding what they consider high-value information, and getting their buy-in on disposition, you avoid showdowns later. Employees and managers are much more likely to follow a policy they had a hand in shaping, especially if it aligns with how they work and what they need. Policies today aren’t just legal edicts; they are collaborative agreements. Reaching that agreement may take more effort up front, but it pays off when the policy is executed, and everyone isn’t fighting over what can be deleted.

Execution itself is a huge focus now. A records program on paper is not enough. It needs to actually be put into practice, preferably through automation. With the volume of digital records, it’s unrealistic to rely on humans manually applying retention rules to every document or email. Modern programs seek to bake retention and disposition into systems: configuring cloud storage or content management platforms with rules to auto-delete or archive files after a certain period, for instance, or using software that can classify records and apply the right policies. Automation not only makes life easier, but it also ensures consistency and compliance at scale. It’s the only way to enforce rules across an enterprise without hiring an army of records coordinators. That said, automation must be implemented carefully. It works best when the retention rules have been simplified and clarified (per the above points) so that coding them into tools is straightforward. A complex, convoluted policy is hard to automate and likely to fail in execution.

Finally, integration with other compliance and risk areas is a hallmark of a modern program. We already mentioned legal holds for litigation: any automated deletion process needs a mechanism to pause when items are subject to a hold (so you don’t delete evidence needed in court). Close coordination with the legal team handling eDiscovery is indispensable. Similarly, integration with privacy compliance processes is vital. For example, if a consumer requests their data be deleted under GDPR, your records program should accommodate that (perhaps by having shorter retention or special workflows for personal data). If the company has a data governance initiative for data quality or analytics, the records program should feed into it by identifying authoritative sources of truth and getting rid of duplicate or suspect data. In short, the modern records management program doesn’t live in a silo; it’s woven into the fabric of the organization’s overall governance, risk, and compliance strategy.

The compliance advantage

Considering all the above, what capabilities does a modern records management program demand? Let’s break it down. A successful program must:

• Understand and apply myriad legal and regulatory requirements, from financial regulations to employment laws to industry-specific rules, often across multiple jurisdictions. 
•  Balance risk and business need, making judgment calls on how long to keep information when laws are silent or conflicting, weighing the legal risks of deletion against the costs and risks of retention. 
• Engage a broad range of stakeholders, including legal, IT, privacy, security, and various business departments, to build consensus and ensure alignment. 
• Involve business units in identifying high-value information so that retention schedules reflect what’s truly fundamental to running the business, not just generic record types. 

A records program on paper is not enough. It needs to actually be put into practice, preferably through automation.

• Drive execution of policy through processes and technology, translating policy into training, procedures, and automated tools, and monitoring compliance over time. 
•  Ensure consistent compliance enterprise-wide by implementing the program across all geographies and departments and keeping it updated as the business and laws change. 

If you think about it, these are precisely the skills and activities that seasoned compliance professionals excel at. Compliance teams are used to interpreting complex regulations, developing policies and controls, conducting training and awareness, coordinating across departments, and auditing or monitoring adherence. They also have experience in balancing the letter of the law with the practical realities of business operations, a skill that is invaluable when determining retention rules that satisfy regulators and work for the business. In many companies, the compliance function has already been tackling similarly broad mandates in areas like anti-corruption, data privacy, and cybersecurity governance. Records management, in its modern, expanded form, fits neatly into that paradigm. It’s about enterprise-wide risk management and policy implementation, which is the bread and butter of compliance teams.

By contrast, a purely legal-focused approach to records management might emphasize creating the policy, but not necessarily driving its adoption and enforcement across the company (which often fell to line managers or IT, with mixed results). Compliance teams, on the other hand, are program managers at heart. They are adept at taking a policy and building a sustainable program around it: defining roles and responsibilities, measuring compliance, and continuously improving. That programmatic mindset is exactly what a contemporary records and information governance initiative needs to succeed.

An elevated and welcome role

There’s another factor at play: senior management has come to realize the importance of having an effective records management and broader information governance program. High-profile data breaches, regulatory fines for privacy violations, costly litigation discovery exercises, and even public scandals from exposed documents have all elevated records management from a back-office task to a strategic business imperative. Executives and boards now ask about how information is being governed. They want assurances that the company isn’t exposed to unnecessary risk from poor information practices. They also see the upside: better information management can improve efficiency and even competitiveness (think of the insights to be gained from well-curated data, or the agility of a company that can find the info it needs in seconds rather than weeks).

With this spotlight on records and information, leadership is looking for the “pros” who can run a successful program. Increasingly, they are finding those pros in their compliance departments. It makes perfect sense: the compliance team has a track record of standing up programs that meet regulatory requirements, changing employee behavior, and holding up under scrutiny. They bring a level of rigor and holistic risk management that a siloed approach lacks. So, when the question arises, “Who can ensure our information governance is top-notch?” the answer often comes back as: the compliance folks.

Equally important, this shift reflects a much-elevated status for records management itself. What was once perhaps seen as a low-level administrative duty (“filing and storage”) is now recognized as a key function that can materially affect the company’s risk profile and performance. This recognition can be motivating. Rather than feeling that extra work has been dumped on them, smart compliance teams are welcoming the new role. They realize it’s an opportunity to leverage their expertise in a fresh area and visibly contribute to the organization’s success. Running the records management program puts compliance at the center of data governance, touching many facets of the business; a valuable perch from which to drive positive change.

Conclusion

In conclusion, compliance is being asked to run records management programs because the nature of those programs has evolved to require exactly what compliance delivers: a balanced, enterprise-wide approach to governance that marries legal requirements with ethical and operational considerations. Records management is no longer just about keeping the right papers in a box; it’s about steering the lifeblood of the organization’s information in a way that mitigates risk and powers the business forward. Who better to captain that ship than compliance? The companies that recognize this are not only elevating the compliance function but also giving themselves a better shot at mastering the complexities of modern information governance. And the compliance teams that seize this responsibility are proving their value in new and  impactful ways, ensuring that the organization’s records (and the data-driven insights gleaned from them) remain an asset rather than a liability

Takeaways

• As most records are born digitally, organizations are moving away from paper-based records management processes. 
• Records management responsibilities are shifting. Many organizations are moving ownership of records management programs from legal departments to compliance teams, reflecting a broader scope and heightened importance of these programs. 
• The role of records management is expanding. Modern records programs must go beyond legal requirements to include business value, privacy data minimization, and information governance, impacting multiple areas such as IT, legal (eDiscovery), privacy, and business operations. 
• Compliance brings the right skill set. The modern approach to records management requires skills in policy development, cross-functional coordination, risk balancing, stakeholder engagement, and consistent enterprise-wide execution. All of these are core competencies of compliance professionals. 
• An elevated, strategic function. Senior management now recognizes effective records management (and broader information governance) as a critical, strategic function. Forward-thinking compliance teams are embracing this expanded role, seeing it as an opportunity to drive value and reduce risk across the enterprise. 

March 2026 | CEP Magazine 

View all articles          Read the next article