ICAG has over 30 years of experience of working with Chief Data Officers and Heads of Records Management in tier-1 Banks and Financial Institutions in relation to Enterprise Records Management. ICAG’s CEO, Subas Roy is a pioneer in Records Management transformation and regulatory compliance strategy in both North America and Europe.

Best Practices in Records Management

The best practices in Records Management including appropriate Governance and Operating Model needs to include a robust records management lifecycle and all other key associated processes including managing breaches, addressing regulatory concerns e.g., SEC Rule 17a(4), continuous monitoring and reporting, appropriate records retention and disposal.

The Records Management governance and operating model should include appropriate lifecycle including the following Four key phases.

  1. Records Creation: Processes to identify, capture and classify records using a uniform mechanism.
  2. Records Usage: Ability to search, retrieve, use/reuse records based on business, commercial, other needs.
  3. Records Storage: Processes for Records Retention in line with the key regulatory requirements (e.g., NYDFS rule 500.13) and records protection from unauthorized access and/or use.
  4. Records Disposal: Harmonized processes for records transfer / archive / disposal beyond its retention period.

RECORDS MANAGEMENT IMPACT ASSESSMENT (RMIA*) AND PERIODIC INDUSTRY BENCHMARKING

ICAG’s proprietary Records Management Impact Assessment (RMIA) enables an organization to complete a comprehensive assessment and benchmarking of the existing Records Management practices, gaps and improvements required, key regulatory issues and actions. The RMIA once complete also helps to create a multi-year Records Management programme implementation roadmap. Below is a quick reference guide diagram to RMIA which consists of the key Regulatory regime compliance including SEC rule 17a(4) WORM Compliance, UK ICO, ESMA and EU compliance, CFTC Rule 1.31 compliance.

There are seven key components of the ICAG RMIA benchmarking framework.

  1. Records Management Governance, Operating Model, Controls and Reporting
  2. Records Creation process, issues management, and resolutions
  3. Records Usage including search, retrieval and reuse processes
  4. Records Storage and Retention in line with the applicable regulatory requirements
  5. Records Disposal including use of technology to manage legal-holds process before actioning safe disposal or archival to cold storage.
  6. Records breaches, waivers, attestation and conformance monitoring to ensure your organization is compliant to policies, standards and procedures.
  7. Records management systems, tools, security and infrastructure to make sure you have implemented a best-of-breed solution that is further scalable and flexible as your organizational need changes over time.

Get in touch with Subas Roy (subas.roy@icagpartners.com) to discuss further.

Reform of the UK Data Privacy Law will create further requirements of recordkeeping for businesses

Access the Bill here Data Protection and Digital Information (No. 2) Bill – Parliamentary Bills – UK Parliament

The Data Protection and Digital Information (No. 2) Bill has been introduced to Parliament by the Government. This replaces the previous version of the Bill that was introduced last summer and which has now been withdrawn. The purpose of the Bill is to update and simplify the UK data protection framework in order to reduce compliance burdens for businesses, whilst ensuring that the UK’s high data protection standards are retained. The
Government has publicised the Bill as a “common sense led” UK version of GDPR which will “cut down pointless paperwork for businesses and reduce annoying cookie pop-ups”. The reforms will impact all UK businesses. Headline reforms include:

  1. organisations will only need to keep records of personal data processing if their processing activities are likely to pose high risks to the rights and freedoms of data subjects;
  1. creation of a new lawful basis for the processing of personal data where such processing is necessary for a recognised legitimate interest set out in secondary legislation;
  2. addition of non-exhaustive examples of the types of processing that may be necessary for a legitimate interest of the controller, including direct marketing, intra-group transmission that is necessary for internal administrative purposes and processing that is necessary to ensure the security of network and information systems;
  3. improved clarity on when safeguards for solely automated decision-making apply;
  4. broadening the circumstances in which organisations can refuse to answer a data subject access request, so that requests can be refused where they are vexatious or excessive;
  5. clarifying rules on international transfers of personal data, with a focus on data protection outcomes;
  6. making it easier to use personal data for scientific research;
  7. increasing fines for nuisance marketing;
  8. creating a framework for the regulation of UK digital verification services;
  9. facilitating creation and operation of smart data schemes; and
  10. reform of the Information Commissioner’s Office