While data access, encryption and data retention tools can help facilitate data storage compliance, they can only get you so far. To fully satisfy compliance audits, storage managers must also implement and enforce data retention policies that IT staff, legal staff and end users must follow.
In this podcast interview, Mathieu Gorge, CEO of security consultancy VigiTrust, talks to SearchStorage.co.UK about the data storage compliance regulations that storage managers in the UK must be aware of, such as the Data Protection Act 1998. Gorge also examines some of the data storage technologies and specific procedures storage managers can take to ensure compliance, including enforcing data retention and access policies and preparing for e-discovery requests.
You can listen to the interview as an MP3 or read the transcript below.
Download for later:
Ensuring data storage compliance in the UK
• Internet Explorer: Right Click > Save Target As
• Firefox: Right Click > Save Link As
SearchStorage.co.UK: What data storage compliance regulations do UK IT departments face and what do they require organisations to do with their data?
Gorge: In the UK, all companies have to comply with the Data Protection Act 1998. The Data Protection Act 1998 is based on the 1995 European Data Protection Directive that has been adopted by most of the EU's 27 member states.
The Data Protection Act 1998 states eight principles of data protection which any organisation in the UK has to comply with:
- Data must be fairly and lawfully processed.
- Data must be processed for limited purposes.
- Data must be adequate, relevant and not excessive.
- Data must be accurate and up-to-date.
- Data must be kept for longer than is necessary.
- Data must be processed in line with your rights.
- Data must be secure.
- Data must not be transferred outside the country if the receiving party's country does not offer appropriate protection.
All of those requirements affect data storage and raise the questions of what data can be kept, how long must you keep the data and how do you secure it.
Secondly, there is industry-specific legislation in the UK which affects data retention.
The Financial Services Authority (FSA) legislation, introduced in March 2009, requires that some UK financial institutions record and store telephone conservations and electronic communications relating to customer transactions. The legislation requires that calls are recorded with encryption technology and that when information is transmitted or archived, that data is encrypted.
The FSA legislation affects all inbound calls, outbound calls and requires access to the archived data from recorded calls. It is important to note that users of such systems must use strong authentications, such as a two-factor authentication. You also need to be able to restrict and monitor access to recorded data.
The FSA requires financial institutions to not only use compliant solutions, but also enforce compliant processes, policies and procedures to ensure that staff deals with data the right way.
Thirdly, ISPs must follow the Data Retention (EC Directive) Regulations 2009, which states that data containing details of user Internet access, email and telephony must be retained for a minimum of 12 months. This data encompasses IP addresses assigned to specific users/organisations, log-in and log-off times where applicable, the sender, the recipient, and the date and time.
Finally, there are industry standards that affect which data must be retained and how this data is to be treated. For example, the Payment Card Industry Data Security Standard (PCI DSS), which applies to credit cardholder data, lays down guidance on what data can be kept and for how long, including rules on how to protect data that is archived.
SearchStorage.co.UK: What are the key steps in ensuring your organisation is legally compliant with regard to the retention of data?
Gorge: The first thing to do is to ensure you are aware of the legal and industry standards that apply to your organisation. At the very least you should familiarise yourself and comply with the Data Protection Act 1998.
The second thing you should do is to carry out an asset inventory of all your data assets and assign them with a value. Values can include security criteria (for example, strictly confidential, confidential or public) or lifecycle criteria (for example, dynamic live data or archived data).
The next step is to ensure that each category is clearly associated with data acquisition, archiving/retention, retrieval and data destruction processes. Ensure the archiving and retrieval process is supported by compliant technology which must be secure and allow for a full audit trail.
You should also ensure that you are aware of how to deal with legal discovery requests. This includes the technology aspect – how to retrieve data without damaging it – and the legal aspect, which is ensuring that your lawyers are aware of the implications of data requests.
Next, you need to examine certain operational aspects of your data recovery and data inventory processes, including:
- How much time will performing a data inventory take?
- How much storage do you actually require?
- Are you maximising your storage capacity? Most people aren't because of poor data classification and retention processes.
- For e-discovery and disaster recovery (DR) purposes, are you testing how fast you can access stored data?
Finally, there is the green storage aspect. If you manage data archiving and access properly, you can reduce your storage hardware requirements, optimise information lifecycle management (ILM) and, in turn, reduce the impact on the environment.
SearchStorage.co.UK: What are the main technologies and processes that an IT department can employ for data storage compliance?
Gorge: The first thing is data discovery and asset inventory tools. Every organisation needs to know what type of data it is looking at and it needs a matrix showing where the data is being stored, its data classification level and how long they need to keep it.
The next step is to secure the data while you are working on it and when it is archived. Storage encryption tools, strong authentication tools and log management tools allow you to have complete control over data during its lifecycle.
Automated e-discovery tools are also useful as they can help you be prepared for any legal discovery requests that your organisation may face.
You also need to have strong processes in place, including:
- An asset inventory process to identify and classify data.
- An acquisition process that describes how you acquire, access and retrieve data.
- A business continuity/disaster recovery process that states how you get access to mission-critical data in a crisis situation.
- An e-discovery process that will guide you through a legal discovery request.
Finally, staff training is critical to a successful data retention framework. There are three types of staff that need to be trained:
- The IT staff to look after the technology that looks after the data.
- The legal staff to look at how long you need to keep data and how you should access data for legal discovery requests.
- The organisation's end users to understand the value of the data so that they take appropriate steps to protect it and ensure that it is kept according to applicable policies.