Compliance: Data Storage in a Regulated World
There are many industries that are regulated – Financial, Health, Insurance, and Accounting and Tax planning to name a few. Now, here lies the problem – each regulated industry requires different sets of rules according to its given regulator. A need for a bridge between the technical understanding of the business requirements to regulatory guidelines is very apparent. If anyone reading this article has read the FCA’s (formerly FSA) handbook and tried to understand what IT governance is required they will know what I mean. I will list out a couple of examples where compliance for data storage and retrieval differ vastly. Health – Meeting and Minutes details – Must be held for a minimum of 30 years.
Insurance – Employers Liability Policies – Must be held for a minimum of 40 years.
Now, these are just two low-level examples of data retention, now add ALL of the other considerations (and there are a lot) into the mix. Data Access, Information Security, Business Continuity, Data Protection laws etc, you will soon see that the role of a CIO/CTO within these regulated firms is a difficult one as well as knowing that these regulations change too. So, we have hoards of information that we need to store under our governing body, where do we store them? This now creates another problem, who do we trust to store them effectively and for this length of time? Let’s be honest, most technology firms cannot see past a 5-year business plan, let alone 40 years. This as well as the format that the data has been stored on, will we all be naive enough to think that in 20+ years’ time the data we stored initially can even be accessed? When I was working in the banking sector we had so many disparate systems it was crazy and over a 5-year plan we eventually standardised them through one platform. However, we still had the same problem of catering for the eventuality of recalling data from an OS2 Warp operating system from 10 years prior. Now, consider the financial regulated world. This is a very very complicated topic and again the policies differ massively depending on what type of activities you conduct under the regulator’s adherence. For example, the length of time records should be kept depends on which type of business the records relate to. For MiFID (Markets in Financial Instruments Directive) business, records must be kept for at least 5 years after an individual has stopped carrying on an activity; for non-MiFID business, it is 3 years after stopping the activity and for a pension transfer specialist the records must be kept indefinitely. This includes Email, File, Databases and in fact any data that has used for said given business. There’s a MiFID II on the horizon (2015) with even more significant changes are looking to be introduced. Now, do you see the complications on this one topic (data storage) within IT Governance? For me, conformity needs to stem from understanding. If you do not understand what you need to conform to, how on earth can you? A simple understanding of one ruling of conformity for example 2 years of data storage and not 5 could save you £1000`s and let you sleep at night. Imagine if you knew the rulings for ALL of your data storage requirements and you have fine-tuned them to your infrastructure, or better still spoken to someone who already understands them. Conformity needs to stem from understanding. If you do not understand what you need to conform to, how on earth can you? There is one company who I have spoken to recently whose approach to this challenge warrants particular merit, and they stand by a 100% guaranteed data restoration rate however long you store your data for: Arkivum. Arkivum’s storage is based on the principle that 3 copies are needed for absolute certainty that data is safe. So using active integrity checking at all times, every one of your files is copied three times, with two copies held online in geographically separated Data Centre’s and the third held offline locked away in an escrow service. It was very interesting for me to talk to a technology company and discuss compliance; they even have a dedicated compliance officer. The regulation of IT, especially Cloud, is paramount and right up there with security.
Is this the future for IT companies, that they must have a better understanding of compliance rulings in regulated industries? With the state of “internet of things” gathering momentum and even your domestic items being able to talk to each other (and maybe even talk about you to each other), let alone the internet – my feelings are that the regulation of IT, especially Cloud, is paramount and right up there with security. The only issue I have with regulations is that they sometimes stifle creativity and flexibility, but that’s a whole new topic that I am sure we will discuss in the future. What are your thoughts on regulated IT and compliance?