As data volume increases, companies are looking to find stable yet scalable ways to preserve their business data. On this quest, companies are often switching to cloud or virtual deployment systems, both of which are expected to grow in market share and value over the next several years.
According to some estimates, the US market of software-defined data centers will surpass $50 billion over the next five to six years. Cloud infrastructure spend has meanwhile increased for a third consecutive year, which attests to the increasing reliance on cloud solutions for business operations and decision making.
Does cloud compliance pay off?
Using third party cloud and software-defined solutions has a number of benefits. Companies get a one-stop solution, spanning both storage capacities, network infrastructure, and tech support.
This alleviates the budget, which has been crucial over the last year, where most pandemic-stricken businesses had to make significant cuts but also meet various compliance requirements.
On the other hand, these ‘remote’ solutions cause reluctance as companies might not always have access to all their data in a timely manner, which is crucial for regulatory compliance, eDiscovery processes, and legal proceedings. If companies can’t control who has access to their data and if the data is kept outside organizations, they might find it difficult to meet regulatory requirements.
Whose data are cloud data?
At the start of the year, many companies were stirred following the announcement that WhatsApp will share data with Facebook. This brings about tremendous changes, as some companies might find their data exposed, and thus liable for serious data breaches.
The reason for this widespread disturbance is that WhatsApp is used by employees to talk amongst themselves about ongoing business cases, sending voice messages, placing calls, exchanging videos, images and GIFs. They also exchange information with prospects, existing customers and partners.
All of this information needs to be preserved untouched, in a retrievable manner, readily available for later use. So companies now need to go back and reassess what lies in their corporate WhatsApp archive to be able to understand whether or not they have unwillingly breached a clause or two.
All these laws prescribe their own set of rules. Companies need to take into various considerations:
- types of records – they need to collect and preserve any and all forms of business records. This means all the tweets, status updates, comments, emails,
- retention periods – each industry has its own records retention periods. Healthcare records should be preserved for seven years, financial institutions also need to keep their records for seven years, telecom companies should preserve them for two years.
- custom formats
- rules of disclosing information
- time to respond to a data retrieval request – again this can vary greatly. In some cases, organizations have a couple of weeks only to collect and disclose a lot of information under a data request. If their records are scattered across multiple cloud or virtual solutions, they might not be able to deliver all the required information, and also miss the deadline, which can result in fines and legal action.
To be able to make the most out of their cloud and virtual business intelligence systems, companies should focus on ensuring some of the following features.
Functionalities that help meet compliance
This is not an exhaustive list, but can significantly cut down the time needed for data collection, and ensure incident-free records management.
As we’ve mentioned earlier, the rise in the volume of data records is a big obstacle for companies that need to encompass and get hold of all this information in varying formats.
To preempt non-compliance, companies should ensure they can easily restore desired files, via search functionalities that would allow setting parameters and get back relevant information in seconds.
This means companies should be able to search through messages, attachments, look for senders and recipients, based on file formats, and across different periods.
As a result, companies would be able to speed up their data retrieval process, by having a single ‘window’ through which they could find relevant records fast.
Given the sensitive nature of business records, it’s also important to note that companies should be able to present how (and if) data has been edited and modified.
Audit logs are particularly useful for compliance teams, which would then be able to present when the records were created, who has accessed them, and what sort of modifications have been made to the business records.
This metadata is essential in legal proceedings, as it can show the entire path of a bit of data, from its creation to its potential unsolicited disclosure, along with all the participants on that path.
Companies need to manage numerous business records. And in the future, we can expect this volume to grow exponentially.
Of course, if companies don’t expunge their records right after their retention period expires, they might be liable under some circumstances.
The point is that over-keeping records isn’t any better than not keeping them at all. And a business record will have its own retention date, and managing their expungement manually would be impossible and require substantial resources.
Sometimes, companies receive a request under which they need to disclose a record that happens to contain information about another third party, for example, a multilateral agreement of business cooperation.
If a legal officer needs to prepare evidence for court hearing, they need to remove from the document any classified information about persons and entities which are not the subject of the dispute.
While back in the day, compliance rested mostly in the domain of legal departments, today it’s become a team discipline, similar to cybersecurity.
Given the expansion of BYODs and remote work-related cyber attacks, organizations need to pay extra attention to make sure everyone is on the same page about what is and what isn’t allowed in the workplace.
This is best achieved through a thorough data strategy, that needs to secure the buy-in from all stakeholders and really secure that everyone on the team respects the agreed boundaries.
On the other hand, from a technical perspective, this is best achieved through fully customized roles and permissions. The data will be available only to those functions and departments that have a business need to access them, which also helps to narrow down the scope when determining plot holes in our data defense.
All of these efforts are intertwined and require our own awareness and knowledge of how and compliance concerns each one of us, from client-facing employees to top management.