How can companies ensure they are archiving and protecting business data to comply with electronic data laws? Hugh Jenkins explains.

Governments worldwide are placing companies under increasing scrutiny as corporate failures and fraud demonstrate the need for regulation. UK businesses are challenged more than ever before by electronic data laws, and they need to ensure that they are complying with all of the different legal requirements.

Understanding and complying with the minefield of regulations can be a challenging and expensive task. The UK now has a regulatory regime where financial reporting systems must be of the same industrial strength as transactional process systems. UK organisations now have to ensure all data relating to trades, transactions and all accounting practices throughout the organisation is auditable.

Laws such as the Freedom of Information Act, state that public authorities must comply with requests for the information they hold from the general public, which may pose data accessibility challenges. And Basel II, which introduces new requirements with regard to measuring credit and operational risk for European banks, asks them to retain historical data for up to five years, and have it readily available for inspection.

UK businesses are not only challenged with UK and European laws. The US Sarbanes-Oxley Act of 2002 requires publicly traded companies, accountants, attorneys, and even firms that intend to go public, to retain electronic business records for five years and financial data for seven years after an audit. Sarbanes-Oxley does not just apply to US companies - any European business listed on the US stock exchange is affected and any European company with 300 or more shareholders in the US is bound by the requirements. To comply with Sarbanes-Oxley, companies are spending millions of pounds on their IT infrastructure.

IT infrastructure

Compliance hits at the core of data control and pushes examination of it further into the organisation. Companies are now having to grapple with how to build an IT infrastructure that retains data over long periods of time, keeps data secure in its original format and can easily be recovered.

Almost half of British businesses believe their IT costs have increased over the past two years as a direct result of complying with legislation, according to research by Dell. On average, over one-tenth of the annual technology budget is spent complying with legislation, with almost a quarter of businesses feeling that this is to the detriment of other vital resources.

The non-financial cost of non-compliance can be high too. Companies risk litigation and criminal penalties if they do not comply with electronic data laws.

Despite this, three quarters of British businesses questioned in Dell's survey were not confident that they can comply with all the requirements pushed upon them, citing reasons such as the increasing number of regulations, lack of awareness of legislation and a lack of time to deal with it.

Companies must remember, however, that legislation has not been created to catch them out. Revamping data storage processes does not have to be just a bureaucratic hoop-jumping exercise. An organisation's compliance-driven IT architecture can also lead to opportunity. Alongside operational efficiency, such as the systematic archiving of financial data, e-mail and other important records, businesses could also expect to see reduced risk to business continuity as well as a greater trust in their brand as a result of compliance.

"It is smart to comply with the law. In addition, this whole undertaking can be a real performance enhancer for businesses at the process level," says Andy Efstathiou, a technology management strategies analyst for the Yankee Group. "By investing the appropriate amount of time and thinking strategically, you can satisfy regulatory requirements while you develop a better understanding of your own business."

The route to compliance

No matter what data storage and security strategy an organisation uses, IT decision makers should consider these six key questions.

- Will content be stored and remain unaltered over the required time frame?
- How will the technology stay updated to ensure long-term availability of records?
- Does the technology enable the organisation to retrieve data quickly enough to respond to a legal request within the stipulated deadline?
- Can the technology grow with the business and meet regulatory requirements?
- Can the technology be used with other content generating applications?
- How will this data storage architecture address litigation and discovery challenges?


Best practices

To meet the requirements of regulatory compliance, businesses must focus on the collection, secure storage and easy retrieval of business-critical data. After learning which electronic data laws affect them, companies must follow best practice processes and build an IT architecture that will support all legislative requirements.

"The way most regulations are written, there isn't a clear road map to compliance," says Efstathiou. "What eventually rises to the surface are best practices. Companies cannot ignore the regulations, but they can tailor the regulations to a mutually acceptable outcome for the government and themselves."

For industries that must comply with electronic data laws, the growing response is to adopt an approach that includes processes, people, and technology to effectively manage and maintain electronic records. The key is to balance vulnerabilities, risks and costs with operational needs.

Companies should consider the following aspects.

Requirements: Companies must determine which regulations affect them and require compliance. Many companies get guidance from legal consultants, industry associations and external auditors.

Roles: Many laws ask senior executives to take responsibility for ensuring information security and deciding how to respond to regulations. A data security strategy should be tailored to the organisation's needs, and executives should assign explicit roles, responsibilities, authority and accountability to the individuals who should carry out the plans.

Data retention: While assessing data security needs, companies should determine the impact that regulations will have on their data. Where do certain kinds of data reside in the organisation? What data formats do you use? How should you index files? Does data have to be maintained for long periods of time? How quickly must you be able to access it? Must it be readily accessible, even with future software? Do you need to keep data in its original format and never alter it?

Security status: Companies should assess current data processes and security practices, including networks, facilities and hardware. What is being stored and backed up on the network? Identify security gaps and develop a plan to close them. It is essential to keep employees trained and aware as new data management and security requirements unfold. Conduct periodic testing and evaluate the effectiveness of security policies and procedures and quickly respond to vulnerabilities.

Enabling technology

Based on regulatory requirements, organisations usually have to deal with two types of data: data that is unalterable and data that is alterable or removable. Unalterable data, such as permanent records and e-mail archives, usually must be kept on-site and requires a permanent storage array. Alterable or removable data can be stored off-site and only needs to be kept for a set period.

Data backups are necessary to recover lost data in an emergency, but they typically retain data for a shorter time. Data archives, on the other hand, are designed for the long term and require a combination of online and offline storage solutions.

Companies will have to map out an architecture that automates data backup and recovery processes, including offline and online storage, and allows for storage of media that needs to be indexed and retained for long periods. To comply with Basel II, for example, European banks will have to consider whether their IT architecture meets auditing requirements.

"To comply with regulations, you have to implement solutions across multiple silos within your organisation," says Efstathiou. "You need the ability to bridge multiple silos to create a holistic view of the organisation - a view that is more cost-efficient and secure. For most organisations, it takes a fair amount of lead time to implement new solutions, test them, and work out the bugs - and most need to customise their infrastructures to a certain degree."

- Hugh Jenkins is enterprise marketing director, Dell UK, www1.euro.dell.com/content + www1.euro.dell.com/content

Storage Expo 2006

Dell UK will be one of over 90 exhibitors at Storage Expo 2006, the UK's largest event dedicated to data storage. This year the show, which will be held at the National Hall, Olympia, London from 18-19 October, features a free education programme.

For further information see www.storage-expo.com

Storage consolidation

A survey by Dell last year found that storage consolidation is moving up the IT agenda. Fifty nine per cent of businesses had consolidated their storage systems or were planning to in the near future. The biggest obstacle was cited as budget, with 29% of respondents claiming it was holding them back. Another key reason was the difficulty in measuring the value to the business. This was backed up by the fact that 44% of those surveyed could not estimate how much consolidation would cut costs.

Most IT managers recognised the benefits of storage consolidation. 44% thought it would give improved manageability, and 41% thought it would lower total cost of ownership. Other benefits were:

- improved utilisation and scalability (36%)
- helps to protect corporate data (29%)
- makes adding storage capacity easier (27%)
- maximises uptime and reduces unplanned downtime (26%).