/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsBANGALORE, INDIA: The Indian enterprise today faces a dilemma - information has become a key business driver and is a strategic asset; yet, its rapid growth in volume can make it hard to tame.
There are many reasons why organisations tend to store information indefinitely. One of the key factors is compliance reasons where the law of the land/industry regulations mandate the availability of data for a certain period. For example, the home ministry has directed all telcos to store all user SMSes for at least six months, compared to the earlier rule of one week. With over 900 million mobile subscribers, the volume of data increases multifold. Further, there are similar rules around storage of data transmission such as video, multimedia, as well as call logs.
ALSO READ: 'Info security threat same as terror threats'
Almost every data intensive sector has such rules, and in the event of a lawsuit, an organisation may be required to produce legacy or historical data. In addition, information is stored for business reasons, just in case it is required at some point in the future.
This scenario presents a real need among Indian organisations today, for a strategic data retention and expiration plan.
The absence of such a plan has four broad costs:
- Data is expensive to store and this cost increases with time
- Data is expensive and cumbersome to backup and recover
- Excess data hinders performance, and throwing more storage at it can slow down performance
- Growing amounts of data increase potential risk and cost in eDiscovery and compliance
The core of the problem is that unstructured data such as email, documents, spreadsheets, and multimedia are growing quickly worldwide. IDC projects a worldwide compound annual growth rate (CAGR) in disk consumption for unstructured data of 59 percent between 2010 and 2015.
With these challenges in mind, more firms are being proactive about putting retention and deletion policies in place.
Information not managed by a data retention policy and kept longer than necessary is not only costly, it's also risky.
In short, to delete is sweet, if done consistently and in compliance with regulations and a standardized retention policy.
To make developing and enforcing that policy easier, here are some tips and guidelines.
1. Automate a survey of your data
What data do you have? Where is it stored? Which applications generate it? Who owns it? How often is it accessed?
Typical IT teams devote resources to answering only a few basic questions about their data, and they do so simply to monitor storage consumption with the objective of knowing when to add more disk so that they don't unexpectedly run out.
Organizations need to first classify their critical information (a Symantec survey conducted in the past found that Indian companies are facing challenges in identifying critical data in the first place) and then understand it better with clear insights into data governance, ownership and usage.
2. Identify relevant business and compliance requirements
Besides mapping data, you need to identify the corresponding business and legal requirements for retention. This can be a particular challenge for a large conglomerate in India, for example, which may have business interests across sectors with multiple business and regulatory requirements. Forging a path through the jungle of overlapping internal and external compliance requirements can be a challenge, and this is where defining clear policies plays a critical role.
In an eDiscovery case, for example, where a single email may be required, the entire team cannot afford to spend weeks looking for the needle in the proverbial haystack. An archiving solution can simplify matters greatly, while also reducing storage consumption.
3. Shrink the problem with deduplication and archiving
Rapid growth threatens data availability and disaster recovery. For modern and globalised organisations where operations are in motion 24X7, any interruption can be devastating. Deduplication can help control rampant growth along with a coordinated data retention, archiving and expiration process. In fact, solutions are available that enable organisations to keep certain types of data for varying periods - from several months to several years based on the requirement.
4. Collaborate to review retention policies periodically
IT, legal and risk management departments need to collaborate often to review and refresh policies in line with evolving business and regulatory requirements.
5. Learn how to delete
Don't be over-cautious about deleting data. For example, when moving from one legacy archiving system to another, they tend to leave old data in the system that was used earlier, while the newer policies only apply to new data generated. Allow time to have its effect on data that is about to expire, either on physical tapes, or ensure that data is deleted with the appropriate sign-offs from the department concerned.
Developing a retention and expiration policy can seem like a formidable project at the outset. However, with a formal retention plan, it can be much simpler than it looks. Once the plan is in place, delete expired information. Next, back up information where restore is required within 35-60 days. Beyond 60 days, it is mostly the information retention for legal and business reasons and the right way to retain that information really is using the archival technology. ? Third, one should be able to audit the information retained.
So that right information gets retained for the right period of time and then you can see if your audit is complying with the original plan. ?The fourth area is about legal requirements, wherein one has to ensure that the information is not deleted. The last point is about the comprehensive and holistic view. Every year there are new sources of information getting added and organizations need to ensure that the information in the archives or the retention system put in place has a very comprehensive and holistic view.
(The author is vice president, Information Management Group, Symantec)