Data protection rules and regulations - what does compliance mean and how do you achieve it?

Regulatory compliance has existed for industries, such as the financial services industry, for a long time now. However, events such as corporate scandals like the Enron affair have accelerated the introduction of new further reaching regulations.

There are many different drivers behind compliance ranging from industry bodies and regulatory authorities through to local, national and regional governments such as the EU. The important thing is that an organisation researches what affects them in their particular country.

Failure to do so can result in far ranging consequences. These can be anything from fines to withdrawal of authority to conduct their business.

Many pieces of UK and EU legislation impact upon data retention, and will require UK companies to have in place secure data retention and recovery solutions. Certain industry sectors are subject to codes and practices that require specific additional data to be retained.

The Basel II Accord will require that all internationally active banks must adopt similar, consistent risk management practices for tracking and publicly reporting exposure to operational, credit and market risks.

This will mean large financial institutions will need to have the ability to capture, store and retrieve an increased amount of data relating to their customers.

The Sarbanes-Oxley legislation imposes strict reporting and record keeping rules on New York stock exchange listed companies. Directors are personally liable for non-compliance.

The EU and UK Government have also been moving toward increased regulation of data storage in numerous sectors, and these regulations have a huge cumulative impact. It has always been commercially foolish not to securely look after one's data, but now in a number of instances it constitutes, at best, an unlawful act, and at worst, a criminal offence.

This is just the tip of the iceberg where different rules and regulations governing compliance are concerned. Compliance is often seen as a regulatory problem not as a business issue. Knowing where to start when going down the compliance route is also a challenge to many organisations.

The following check list gives some guidance as to the factors to consider.

A Compliance 10-Point Plan

1. Organise for compliance - make the organisation accountable

2. Regulations and risk management - prioritise legislation by making a risk assessment

3. Who owns the data - IT must take responsibility for ensuring its safety if nothing else

4. Managing content - focus on critical content

5. Email retention and planning - user filing company policy

6. Instant Messaging as a record - policy or total ban?

7. Infrastructure conservation - don't throw the baby out with the bathwater

8. Choice of compliance tools

9. Manage vendors aggressively

10. Build from the ground up - you have to start with someone.

There are a number of clear areas where technology can help with compliance. The first and most obvious of these is to have a comprehensive backup strategy.

Data retention and protection form an important element of many of the regulatory mandates affecting organisations. What we are seeing is that more and more data is required to be kept for longer periods of time. This means longer backup time through having to backup more data.

This need to keep different data of different types can be seen in the table below which gives some examples from the US of just some of the retention requirements impacting organisations there.

These requirements differ from country to country so the important thing is for an organisation to thoroughly investigate what their local requirements are and to put in place appropriate policies to meet those requirements.

Once an organisation has been through the exercise of deciding what rules and regulations apply to them in order to achieve compliance, they need to examine what data they have in their environment.

The reason for this is that different data types are impacted by different rules and regulations. For example accounting or financial data will need to be treated differently to personal information about customers, which in turn will need to be treated differently from email etc.

An important part of achieving compliance is to understand what data exists where. In many Windows environments this is very difficult as data of different types can exist on many servers in many different locations.

VERITAS' StorageCentral can help by allowing an organisation to centrally report on all their file-based data across their entire Windows infrastructure. An organisation can report on file types, location, age, where they reside and far more. It also helps in identifying data that may not be getting backed up within the guidelines of a particular regulatory mandate.

This information enables an organisation to apply policies on how they treat the differing types of data and to organise that data more logically to make achieving compliance easier.

Protecting the Data
The next stage is to ensure that all the data identified by StorageCentral and data existing in databases such as SQL and Exchange gets backed up.

VERITAS Backup Exec and its agents and options can ensure that all the data is getting backed up with sufficient frequency and that there are enough copies of data for long term archiving.

Another important part of protecting the data for regulatory purposes is ensuring that all data is protected. This includes data outside the data centre in remote offices and on user's desktop and laptop machines.

Remote office data can be protected centrally through VERITAS Storage Replicator by replicating all the file based data back to headquarters so that it can be centrally backed up by Backup Exec.

Backup Exec's Desktop and Laptop Option ensures that end user's changed data is automatically copied to shared folders on the network which are in turn backed up by Backup Exec.

Long term compliance
One of the biggest challenges for long term compliance is to ensure that data is kept for a sufficient length of time, can be easily found and readily accessed when needed. This needs to apply to both file and email data.

The other challenge here is to do this cost effectively. If you look at the amount of data that needs to be retained long term, to keep it all on a high performance primary data store would be a very expensive answer. This is where the concept of the Data Lifecycle can help.

When data is created it has a lifecycle, i.e. a period of time that it has to exist before in can be destroyed. This is often driven by regulatory data protection mandates.

During its lifetime this data will generally have changing value. For example, the data created when an online order for goods or services is placed is more valuable prior to the order being fulfilled than once the order has gone out and payment has been received from the customer. Once at this stage that data's value is less and it is not likely to be accessed again frequently, yet it still needs to be retained.

Using this concept it makes sense to move less valuable, less frequently accessed data to cheaper nearline storage, rather than keep it on the primary data store. This is a more efficient and cost effective approach.

However, compliance means that this data still needs to be easily retrievable and accessible. The same applies to email and messenger data.

VERITAS' recent acquisition of KVS, the market leading email archiving company, has helped here. Their Enterprise Vault product allows the creation of policies for archiving of email, file system and SharePoint Portal data. There is also the capability for indexing and fast retrieval to help with compliance.

Where StorageCentral has discovered Microsoft PST files it can also handle the archiving of these.

In summary, compliance can't be ignored but by understanding the organisational impact of the different rules and regulations an organisation now has the tools at its disposal to help make achieving.