From complexity to clarity: Navigating the new rules of information governance

For Operations and Line of Business leaders, information governance is no longer just a back-office task. Today, it is the key to keeping your license to operate and turning stagnant files into a competitive edge.

Several global shifts will change how you manage your most valuable assets. Here is what you need to know to stay ahead.

Quick guide: 2026 global impacts

1. Workforce liability: Building a transparent foundation

The UK Employment Rights Act 2025 is rolling out through April 2026, requiring you to keep detailed payroll records for at least six years.

While the penalties for missing data are high, this is your chance to bridge the gaps between your systems. By linking your payroll data, you do more than just avoid fines—you see exactly where your variable pay and commission trends are heading. The UK is moving fast on transparency, so now is the time to tighten your retention schedules.

2. R&D & clinical trials: From storage to intelligence

Starting April 28, 2026, the required retention for clinical trial master files in the UK jumps from 5 to 25 years. 

Don't look at this as a massive increase in storage costs. Think of it as a way to put your research to work. Moving from active servers to a secure, long-term digital archive keeps your data safe, accessible, and ready for future AI-driven discovery.

3. US privacy: Modernising the customer connection

As new privacy mandates go live in early 2026 across Indiana, Kentucky, and Rhode Island, the evolving US "patchwork" of regulations can often feel like a significant hurdle. This complexity is further underscored by the Federal Trade Commission’s (FTC) Children’s Online Privacy Protection Rule COPPA updates, which emphasise the federal government's commitment to rigorous information governance—where non-compliance can now carry sanctions of up to $50,000 per day.

But at its core, privacy is about trust. Use the next 90 days to confirm your team is ready to protect children’s data and give residents easy access to their own information.

• Indiana and Kentucky: These laws give residents the right to opt-out of profiling and require Data Protection Impact Assessments (DPIAs).
• Rhode Island: This law focuses on data porting and security notices.
• California and FTC: Stay alert for California’s phased risk assessments and the FTC's deadlines for having written policies for children’s data and deleting accordingly.

4. AI de-risking: Keeping your market access

AI leadership depends on a solid data foundation. AI leadership depends on a solid data foundation. To maintain this, we are tracking the EU AI Act and the new US National Policy Framework, both of which emphasise "human-in-the-loop" oversight to balance innovation with safety.

By checking your automated tools now, you keep your products on the market and your innovation moving. We are also tracking risk-based rules in South Korea, human oversight mandates in Uzbekistan, and France’s latest privacy-by-design guidance.

Strategic takeaways for 2026

To elevate the power of your work this year, prioritise these three actions:

• Modernise retention schedules: Leverage Iron Mountain InSight® DXP, an intelligent content platform that transforms structured and unstructured documents into usable data. Its integrated governance tools help you navigate 80,000+ global requirements, maintaining seamless alignment with new 25-year and 6-year mandates.
• Verify AI readiness: Perform risk assessments for all automated tools to meet global standards and keep your data foundation scalable.
• Unify privacy controls: Implement unified solutions for data access to turn compliance into a seamless customer experience.