Sooner or later, someone in your organisation is going to say: "We need to be compliant." The first question to ask is: "Compliant with what?" The ECT Act is a typical answer, but the Protection of Personal Information (PPI) Bill will soon be another good one.
PPI's goal is "to promote the protection of personal information processed by public and private bodies, and to introduce information protection principles so as to establish minimum requirements for the processing of personal information", according to the preamble.
Some of its sections have significant implications for companies that keep any form of information about their customers that could be construed as personal. But where is that information stored now? How is it organised? Is it even classified properly? The CIO who needs to answer these questions could be forgiven for being overwhelmed, even if he already has an information life cycle management strategy.
Gerrie van Gaalen, partner at Van Gaalen Attorneys, says he's read the PPI in some detail.
"I've read through it because I have to understand it on behalf of my clients," he says. "My first response to them is you need to understand your own business first. Businesses need to understand what information they have. Once they know that, only then can they understand what legislation is relevant and how it will affect them."
Bryan Balfe, business development director at CommVault, says there are two wrong approaches to the legislation.
"We're seeing a lot of people doing one of two things," he says. "One is ignoring the issue until hopefully someone else goes to jail. The other is deciding King III is something they do professionally and forgetting what business their own company is in. They then start on a project to 'Kingify' their entire business. I couldn't agree more about understanding which parts are relevant. You can find people incurring massive cost deploying complicated technology and still looking like twits because they haven't deployed what they should have."
Kendall Watt, presales engineer at Mimecast, says this is because of a lack of guidance.
"A number of our customers are frustrated by the fact that there are no clear guidelines about what they need to follow," he says. "The ECT Act doesn't actually speak directly about records retention periods, for example, and customers don't know where to turn. There are a number of ICT lawyers out there, but the customers don't know about them so they're asking their vendors and partners about how long they should be storing information."
There are no clear guidelines.
Kendall Watt, presales engineer Mimecast
Half the trouble is that this isn't a technology problem.
"There is a lot of technology out there and a lot of people think that if they install a certain piece of technology, they will be 100% compliant," notes Charles de Jager, solutions specialist at SAP. "But there isn't a magic button. There isn't something to buy off the shelf to do that. Gartner has said manage information and not technology. We spend too much time worrying about hardware and software and we haven't concentrated enough on what our information really is and how it should be classified. It's not about data warehousing or BI, but rather 'what is information management?'"
The reason is historical, says Paul Walker, product specialist at Informatica. "As we saw the introduction of CRM, ERP and the digitising of business processes, businesses thought they could suddenly wash their hands of the problem," he says. "It's an IT problem! IT has to maintain it, report on it, back it up and so on. They thought that was the end of it. Now we've gone back and told them that they need to care about all of this."
The e-mail question
How long should I keep my e-mails?
It's one of the simplest questions to ask - and one of the most reasonable for a businessperson - but one of the hardest to answer. Chris Hathaway, director of Soarsoft Africa, says the key question is really what business process is being done via e-mail.
"Do you even need to keep e-mails?" he asks. "Very few companies can say that they don't transact some form of business via e-mail. There are various sections of information inside an organisation and they all need to be tackled in different ways. I still see a huge divide between IT and business. I get requests daily: how do these products comply with these new pieces of legislation? My answer is always: people, process and, lastly, technology. While technology is a great enabler (although not a silver bullet), it's the hard yards that have to be done by the business.
“Ironically, one of the most important uses of technology is getting rid of information in a controlled and guaranteed way. I work quite a lot with archive solutions but, actually, people are using them, not to keep information, but to get rid of it."
Watt says classification needs to come first.
"Before you even consider an archiving solution, you need to sit down and look at who you're communicating with, how you're doing it and then classifying that data. It's trying to understand what the mediums are and then asking what legislation governs them. If I'm dealing with a financial contract for a credit agreement, then I need to retain records for five years after the termination of the contract."
The answer to the e-mail question could be as simple as deciding not to conduct business via e-mail, says Balfe.
"You have to have business and IT working together to come up with what the data management strategy is. The strategy could well be to pay no heed to a particular piece of legislation. Sarbanes-Oxley in the US is a good one because it's the one with the most teeth, but also the least guidance. It says: 'Tell us how you do stuff and we'll assess whether you do what you said you were going to.' So there's a potential for interpreting some of the Bills coming through now and saying: 'Okay, we're simply not going to communicate critical information via e-mail. Therefore, we don't need to back it up.' The pharmaceutical companies figured this one out a long time ago. That is a policy on which they can be assessed."
Businesses thought they could wash their hands of the problem.
Paul Walker, product specialist, Informatica
Even then it's easy to make disastrous mistakes. Balfe says that all too often, companies with these kinds of issues point problem by point problem, piece of technology by piece of technology.
"We've all seen people deploy best-of-breed e-mail archiving solutions and then not back up the archive. You can do everything correctly - buy the best archiving solution and the best backup solution - but then not marry the two together. That's not a happy place to be if your job title is head of risk or, worse, IT director."
De Jager says this was the cause of a famous incident involving an investment bank.
"This happened to Morgan Stanley where a judge awarded $1.6 billion against it because it couldn't produce a set of e-mails," he says. "Obviously, the cost of compliance is going to be a lot less than that."
Understand your business first.
Gerrie van Gaalen, partner, Van Gaalen Attorneys
Sometimes it's a combination of lip-service compliance and the cheaper technology option. Comments Walker: "I was talking to a telco recently that has call records on a tape library. It's just about to get rid of the tape library system so in the future, there will be no way of getting hold of any of that information. It's theoretically possible to get it, but they don't really know how. I see this sort of thing all the time.”
Keith Goosen, managing consultant at EOH Consulting, agrees that the business has to be involved from the very beginning.
"There are technology solutions and that type of thing, but the key thing is that inside an organisation is a thing known as governance and that comes from the business side. Now if I'm going to do something at the IT level and I don't have representation at the board level, the chances are that enforcement won't happen. What is the objective of the organisation? What are the terms you define and the policies? Those have to be hand in glove with the activities that would then define the compliance. Current legislation is a whole plethora of common law and bits of pieces of the ECT Act."
Technology-neutral
When the law is unclear, there's plenty of scope for interpretation, especially if it's hard to enforce. Van Gaalen says enforceability is actually the biggest problem. But frustrated companies need to look at the big picture.
"It's important to understand why certain legislation has been put in place and it's much bigger than trying to resolve a single issue here and there. It's to do with globalisation. India is a good example. It had a very strong call centre industry, but it had a problem transferring information back to the US and Europe because of its laws. So India changed its legislation in line with the principles in Europe so that information could come in. The same thing is happening here."
That may be small comfort for the retailer struggling to make sense of what his business should and shouldn't keep in the database, but Balfe says legislation has had some positive effects, albeit unintended.
"One thing that has come into being directly as a result of SOX is the notion of disclosure. We at least now have people willing to say they've made a mistake, how it happened, why it happened and the steps they're taking so that it doesn't happen again. Just to get a culture of being responsible for data will come more from fear of being put in the papers. The PPI is the one I find interesting in this country. People don't really care about legislation but they do care about the sales value of the data. PPI asks: 'Why do you have that data in the first place? Why does a gym need my driver's licence or need to know where my kids go to school?' All of these fragmented bits of legislation seem to be a bit of an a la carte menu for good governance. The underlying need to be able to prove that we run ethical and good businesses will stay, no matter what technology we're running in the future."
Companies would do well to start there, no matter what technology they have in place. It's going to change anyway. But the need for good governance won't.
Share