Elevate the power of your work
Get a FREE consultation today!
Changing attitudes toward defensible data disposition
Blogs and Articles
Managing information requires a fresh perspective as the line between data and records blurs. Defensible disposition is no longer just about compliance but balancing risk, innovation, and trust. Embracing flexible and risk-based principles can transform data management for what comes next.
During our most recent Education Series webinar, I had the opportunity to meet with two fantastic data experts to explore one of the hottest topics of 2025. For records, data, IT, legal, and privacy leaders, there is no question that the approach to managing and securely dispositioning data and records continues to evolve. I was joined by Steve McKie, Head of Records and Information Management at Willis Towers Watson, and Steve Wright, CEO & Partner at Privacy Culture, for this truly enlightening conversation.
Information is one thing. Action is everything. Our Education Series has always prepared you for what’s next in data and records. This discussion inspires action to lead the charge.
Related: Watch the full webinar or keep reading for highlights and key takeaways.
No doubt, the line between records and data is disappearing
For years, you’ve probably treated records and data as two separate entities within your organization. Records are typically seen as official information evidence: the signed contracts, the final reports, etc. Data has been seen as having lesser inherent value as it is simply the raw, unrefined facts.
But this distinction is quickly fading.
The truth is, much of your data is being seen as more valuable and will eventually become a critical business record that you must manage as responsibly and opportunistically as traditional records. This shift has been put into overdrive by the explosion of AI and a growing web of complex (and global!) privacy laws.
It’s a bit of a false dichotomy to separate data from records. Essentially all records are data, and much of our data will—at some point—be a record.
If you’re in Information Governance or Privacy, you feel this pressure. It’s like you’re trying to get everyone to speak the same language when your teams have completely different priorities:
- IT wants to manage systems and data storage.
- Business units want to use data for innovation.
- Records Management wants to ensure compliance and defensibility.
You need a new way of thinking about information, and specifically, data. See it for what it is: a massive asset and a significant liability.
- Data is an asset that fuels insight, drives innovation, and gives you a competitive edge.
- It’s also a liability that carries real risk from privacy breaches, security threats, and compliance gaps.
This brings up a vital new concept: data health. It’s no longer enough just to have data. You have to know if you can trust it. That means asking simple but crucial questions: Is it accurate? Is it authentic? Did AI create it, and what does that mean for its reliability?
The risk of outdated thinking
Sticking to outdated ways of managing data—treating it solely as a business or IT concern—introduces real, often hidden, risks.
You’re left exposed when you don’t apply modern lifecycle management to your data. This can make audits a nightmare and leave you scrambling to defend your practices during litigation. Beyond legal exposure, poor data practices simply hold your business back. You end up with:
- Wasted potential: Low-quality data and mountains of ROT (redundant, obsolete, and trivial) information kill the promise of your analytics and AI projects.
- Bloated costs: Letting data volumes grow without a plan leads to unsustainable storage bills.
- Increased exposure: The more unnecessary data you keep, the larger your attack surface becomes for security breaches and compliance violations.
If we’re not making sure that we have the right controls in place, it becomes a great risk to an organization... We can’t just let our data volumes grow and grow.
Modern data management is especially critical with the explosion of AI. Feeding a model poor-quality or unmanaged data is a recipe for disaster. You get flawed outputs and hallucinations, which completely undermine reliability. It’s the classic case of garbage in, garbage out.
And without strong governance, it’s easy to create blind spots with cross-border data transfers. You might think your data is stored safely, but if that cloud instance is in another country, you could violate major privacy laws without knowing it.
Related: From creation to disposition: Managing data through its lifecycle
The new playbook: Shifting from rigid rules to pragmatic principles
A traditional, trigger-based approach to records retention simply won’t work for today’s dynamic business data. Applying rigid destruction dates stifles the very innovation and opportunities that you’re trying to create.
The new approach must be business-driven, focusing on usage, lineage, and value throughout the data lifecycle.
You can’t take a traditional retention approach to data as you would with a record. If you simply destroy data when a trigger kicks in, you limit opportunities.
A new retention playbook means first rethinking disposition. It’s not just about hitting the delete button anymore. You have modern alternatives that can reduce risk while keeping the data’s analytical value, including anonymization and de-identification.
A word of caution: anonymization isn’t a silver bullet. Truly anonymizing data is complex, and you must have a plan for the operational complexity of re-identifying individuals if they exercise their right to be forgotten.
Finally, AI governance adds another critical layer. For your AI models to be explainable, fair, and auditable, they depend entirely on well-managed, transparent data sources. It all comes back to the health of your data.
If a new approach is leaving you feeling overwhelmed, we said we would inspire action, not just give you information. The saying, “How do you eat an elephant? One spoonful at a time,” goes a long way here. Adopting a risk-based framework lets you prioritize your efforts and focus on what matters most first.
Related: Beyond the box: The digital impact on retention schedules
Assembling your data disposition team
Let’s return to the challenge we discussed earlier: aligning different departments, each with its own language and priorities around data. Addressing this challenge is not a solitary effort. Modern data disposition is an inherently collaborative discipline.
To succeed, you need an approach that brings together leaders from IT, Legal, Privacy, Risk, Records Management, and the business units. The goal is to break down silos and build a culture of shared responsibility where ownership is clear and everyone is accountable.
Your role in this is to become a trusted advisor. The key is learning to speak the language of each department by focusing on what motivates them.
- For IT, you can frame it as a way to reduce storage overhead and simplify system management.
- For Legal and Risk, you can highlight how it mitigates compliance risks and improves defensibility.
- For the Business, you can show how healthy data powers more reliable analytics and AI.
If you haven’t already, now is the time to formalize this collaboration. Establishing a Data, AI, and Ethics Committee gives you a dedicated forum for cross-functional decision-making and a clear process for escalating the tough calls.
Your legal team’s involvement is critical here. Their role must include reviewing and updating your third-party contracts to ensure they contain modern data protection clauses that safeguard your information wherever it flows.
Build a defensible position, one step at a time
The path to modernizing your data governance can feel immense, but the goal is consistent progress, not immediate perfection. A policy that looks flawless on paper but is impossible to operationalize is effectively worthless.
Instead, focus your energy on creating a defensible position. This means having a practical, implemented plan that shows you are taking active, thoughtful steps to manage your information.
So, where do you begin?
Start with a tangible proof of concept. A quick win, like a ROT cleanup project for a single high-risk, high-priority area, can build momentum and demonstrate immediate value.
Related: Digital detox: Practical ways to clean up ROT
This is part of the shift away from old, rigid rules. Rather than getting bogged down in a traditional retention schedule, focus on documenting your approach and standards. This creates a flexible framework far more defensible than a rigid policy you can’t enforce.
Finally, time your efforts strategically. Use an upcoming technology migration or a new AI initiative as your opening. It’s the perfect moment to get a seat at the table and build essential governance requirements into a project from the ground up, ensuring your organization is ready for what's next.
Watch the full webinar
Interested in learning more about this topic and hearing the live Q&A with our panelists? Visit Iron Mountain’s 2025 Education Series to watch the on-demand recording of Changing attitudes toward defensible disposition.
Featured services & solutions
Policy Center
Know your obligations and show compliance with our online Policy Center tool
Information Governance Advisory services
More than 100 information governance experts are ready to help grow your program with a comprehensive approach
Iron Mountain InSight Digital Experience Platform
Access information from a unified, automated, secure platform
Related resources
View More Resources
PremiumVideos and Webinars
AI-powered compliance: automating accuracy and reducing risk in HR
In today's rapidly evolving business landscape, HR professionals are constantly challenged by tedious, manual processes and ever-changing compliance standards. What if you could automate accuracy, significantly reduce risk, and even transform HR into a strategic cost-savings center?
July 16, 2025