It was tough enough, in the days before data privacy regulation got brutal, to keep pace with the “What?”, “How?”, “Where?” and “Who?” of records management, alongside the monitoring and maintenance of effective security and retention processes.
Today, complexities arising from the newly intersecting worlds of records, information security, data privacy and protection, have put the regulatory cat among the information asset owner pigeons.
We asked a variety of global financial institutions – all customers of CUBE – to reveal some of the worst things that can happen in the daily lives of Records Managers and Data Officers, to raise compliance risk. And then we asked them what they have done to ensure peace of mind.
The 5 Dreaded Events
- Missing regulations
“When we tracked regulation manually, there was no way of knowing whether our regulatory content was complete. Simple human errors could result in serious compliance breaches and eye-watering enforcement fines. To ensure a complete and accurate view of all regulatory content relating to governance of our information assets, automation was the only answer.”
- Taking too long to capture and analyze regulation
“Every day, week or month needed to identify regulatory obligations and ensure that we had the right policy and controls in place was a day, week or month that we were exposed to risk. Costs were spiralling and we were not remediating gaps quickly enough. By automatically capturing and classifying regulatory content, we can search by regulator, jurisdiction, regulatory theme or keyword, for complete visibility of all relevant regulation. By automatically mapping all of that content to our business taxonomies, we see in an instant which regulations are relevant to our business.”
- Overlooking regulatory changes relating to records and data
“The amount of time and resource needed to monitor regulatory updates and changes manually was huge. Much of this work was outsourced to external lawyers or consultants, at substantial cost. In the end, it was still people monitoring and assessing regulatory change manually, which was a lengthy and error-prone process. Now, every time a regulatory change happens, we receive automated alerts and are immediately notified when any of our policies or controls fail to comply with new or changed obligations.”
- Failing to remediate regulatory gaps
“We could never be certain that every regulatory obligation was sufficiently addressed by the policies and controls in place, at any given time. Today, we automatically map current rules, regulation and legislation onto all of our policies and controls, and any gaps are revealed within seconds. We can even go back in time, to prove that on a specific date, given the regulation in force at the time, there were no policy or control gaps. We can also analyze upcoming regulations, to assess their likely impact in the future.”
- Retaining records and data for longer (or shorter) than required
“In the past it was tough to justify why some of our retention rules were misaligned with regulatory obligations, especially when conflicting obligations required risk-based decisions. We now have a defensible disposal policy backed by automated analysis and rock-solid audit trails, which record decision-rationale, and all actions taken. All policies governing information assets are mapped to current data privacy obligations, so it is clear which assets must not be retained for longer than the regulatory obligation.”
For more information on how to solve the complexities of governing information assets, download our ‘RegTech for Information Governance’ report