Big data, storage and compliance can often prove a mystery to the board. But big data provides opportunities for new lines of business where IT can lead the way.
And while there are also opportunities based on big data analytics, it is also absolutely vital organisations have full knowledge and control of the data they hold so they don’t fall foul of legal and regulatory compliance.
So, how do IT professionals convince the board of the importance of big data, as both an opportunity and as a responsibility that can’t be ignored?
In this podcast ComputerWeekly.com storage editor Antony Adshead talks with CEO of Vigitrust, Mathieu Gorge, about what comprises big data, why it matters to the board and its implications for storage and backup and legal and regulatory compliance.
Antony Adshead: What does the board need to know about big data?
Mathieu Gorge: First of all, the board of directors and senior management in any organisation are ultimately responsible for ensuring that business is in compliance with any data protection regulations, whether it’s in one national territory or deals with transfer of data from one area to another.
One of the things we’re seeing at the moment on the market is that directors are asking us about big data, big data security, storage for big data and what transpires is that a lot of them don’t understand the term big data.
So, you can go back to basics and break this down into the two words, “big” and “data”. Starting with data, they need to understand that data is more than just data on IT systems. It is also paper-based data, personal data, data in the public domain, data that may be shared with suppliers, partners and so on.
So, it’s the mix of structured and unstructured data within the systems, some of which are now moving to the cloud that they need to fully master.
The second part here is the term “big”, and I think that very quickly we’re going to move to what I call huge data, which is the explosion of data in an organisation’s IT system, internally and externally and maybe on the cloud.
So, the board needs to understand that the data they end up being custodians of resides on systems they have responsibility over, and that’s one of the issues.
The best way to get their attention is to look at a potential incident involving data that might be stored the wrong way, maybe not securely, maybe in the wrong area, the wrong territory with regard to data compliance.
There’s the issue that data ends up in the public domain and the organisation suffers because of it. That ultimately has an impact on the share value of the company and potentially on the overall profit and loss of the company.
So, if you manage to link the financial impact of data management you’re going to get the attention of the board.
Adshead: What are the implications of big data for compliance and storage and backup?
Gorge: The main implication, especially in Europe, revolves around compliance with data protection regulations.
So, the first thing to look at is whether an organisation has looked at its data from a data protection audit perspective.
The organisation should look at defining what data it holds. For example, it may have a mix of personal data, data in the public domain, data that may be co-owned under a shared IT agreement.
Then they need to understand that they ultimately are the controller of that data, then map out all the data processors that they might have, whether internal lines of business, third party partners, or cloud providers.
Once they’ve done that they can start classifying the data and deciding where that data needs to be stored and backed up and how that needs to be secured.
So, the best thing to do is to draw up what we call ecosystem diagrams, which are business diagrams that show the different business units, the partners and basically anyone that’s interacting with the organisation’s way of doing business.
Then there should be a data flow diagram that shows the flow of data in each line of business, between partners and the organisation and so on. And then finally look at technical diagrams. That will allow you to inform and implement a strong storage policy based on that data classification.
So, it’s all about making sure you know how you acquire personal data, how you manage the records, how you dispose of records, how you maintain them and how you secure that data.
Boards should be aware that the Data Protection Act in the UK requires them to take appropriate security measures to protect the data and the appropriateness and effectiveness of the security around the data depends on how you classify the data.
In order to classify the data you need to know where it is and that links back into your storage policy: How do you know where the data is? Have you taken the right steps to protect it?
Finally, one area that boards should not forget about is the issue of user awareness. The Data Protection Act, as well as the FSA and industry legal frameworks like PCI-DSS, require users to be trained on what to do with personal data and data pertaining to clients. So, it’s very important that the board is aware of that because, ultimately, a security issue linked to poor data management can affect the share value of the organisation and the profit and loss.
This was first published in September 2013