Data protection rules and regulations - what does compliance mean and how do you achieve it? (page 1 of 2)

Regulatory compliance has existed for industries, such as the financial services industry, for a long time now. However, events such as corporate scandals like the Enron affair have accelerated the introduction of new further reaching regulations.

There are many different drivers behind compliance ranging from industry bodies and regulatory authorities through to local, national and regional governments such as the EU. The important thing is that an organisation researches what affects them in their particular country.

Failure to do so can result in far ranging consequences. These can be anything from fines to withdrawal of authority to conduct their business.

Many pieces of UK and EU legislation impact upon data retention, and will require UK companies to have in place secure data retention and recovery solutions. Certain industry sectors are subject to codes and practices that require specific additional data to be retained.

The Basel II Accord will require that all internationally active banks must adopt similar, consistent risk management practices for tracking and publicly reporting exposure to operational, credit and market risks.

This will mean large financial institutions will need to have the ability to capture, store and retrieve an increased amount of data relating to their customers.

The Sarbanes-Oxley legislation imposes strict reporting and record keeping rules on New York stock exchange listed companies. Directors are personally liable for non-compliance.

The EU and UK Government have also been moving toward increased regulation of data storage in numerous sectors, and these regulations have a huge cumulative impact. It has always been commercially foolish not to securely look after one's data, but now in a number of instances it constitutes, at best, an unlawful act, and at worst, a criminal offence.

This is just the tip of the iceberg where different rules and regulations governing compliance are concerned. Compliance is often seen as a regulatory problem not as a business issue. Knowing where to start when going down the compliance route is also a challenge to many organisations.

The following check list gives some guidance as to the factors to consider.

A Compliance 10-Point Plan

1. Organise for compliance - make the organisation accountable

2. Regulations and risk management - prioritise legislation by making a risk assessment

3. Who owns the data - IT must take responsibility for ensuring its safety if nothing else

4. Managing content - focus on critical content

5. Email retention and planning - user filing company policy

6. Instant Messaging as a record - policy or total ban?

7. Infrastructure conservation - don't throw the baby out with the bathwater

8. Choice of compliance tools

9. Manage vendors aggressively

10. Build from the ground up - you have to start with someone.

There are a number of clear areas where technology can help with compliance. The first and most obvious of these is to have a comprehensive backup strategy.

Data retention and protection form an important element of many of the regulatory mandates affecting organisations. What we are seeing is that more and more data is required to be kept for longer periods of time. This means longer backup time through having to backup more data.

This need to keep different data of different types can be seen in the table below which gives some examples from the US of just some of the retention requirements impacting organisations there.

These requirements differ from country to country so the important thing is for an organisation to thoroughly investigate what their local requirements are and to put in place appropriate policies to meet those requirements.

Once an organisation has been through the exercise of deciding what rules and regulations apply to them in order to achieve compliance, they need to examine what data they have in their environment.

The reason for this is that different data types are impacted by different rules and regulations.