BANGALORE, INDIA: Regulations will continue to have a major impact on data storage strategies and approaches.
IT organizations must carefully consider all approaches to storing and accessing business critical data and continually assess technology capabilities and compliance against changing laws and regulations.
Regulations are diverse and changing rapidly across the globe. A thorough, ongoing analysis and monitoring of relevant laws and regulations must therefore be considered an essential part of core business operations.
Multinational companies in particular must be careful to ensure that data is protected in accordance with the country where the data is generated, the country where the data is stored and the country where the company is registered. Trends such as cloud computing, social technologies and mobility are driving major changes in the amount of data being generated, types of data being stored (both structured and unstructured), and regulations in areas like data sovereignty and residency.
Data Protection Laws are at different stages of development in AsiaPac. Diverse approaches to data breach notification are followed by different countries. Record retention requirement varies from country to country.
Financial/tax records must be retained between 5-10 years in most AsiaPac countries. For India its 7 years for Tax
records and 8 years minimum for financial records. But, there is no requirement related to employee record retention for India. In case of data breach, up to 3 years in prison or a fine up to Rs. 5,00,000 is the penalty for noncompliance.
India does not have clear, definite data encryption standards. Different government departments provide for different levels of encryption. India can prohibit data being transferred from the country to a jurisdiction without adequate privacy protection. BC/DR guidelines are set for the financial industry in most AsiaPac countries.
India has both RTO and RPT guidelines for DR. India has fast changing regulatory environment and authorities provide fragmented guidelines for security measures and encryption.
India has adopted new data protection measures in May 2011, which was designed to protect ‘sensitive personal data and information', applicable to all industries. The data processor should implement reasonable security practices and standards; have a comprehensively documented security policies. International Standard IS/ISO/IEC 27001 is recognized as an approved security practices standard that the body corporate or the Data Processor could implement to comply with security measures under the Data Privacy Rules.
Organizations may transfer ‘sensitive data' to a third party in India or outside India, provided: the third party affords the same level of data protection that is adhered to by the organization under the Data Privacy Rules; and transfer is necessary for the performance of the lawful contract.
India does not have definite encryption standards. Electronic communication systems used for the transmission of ‘sensitive information' to be equipped with suitable security software, if necessary, with an encryptor or encryption software. The Securities and Exchange Board of India (SEBI) mandates the use of encryption technology and prescribes a 64 bit/128 bit encryption for standard network security.
Banks are advised by RBI to use at least 128-bit SSL and encryption of sensitive data like passwords in transit within the enterprise.
Checklist to ensure compliance
Keep a tab of all relevant laws and regulations applicable to your industry: Given the high frequency of changes in regulations organizations should review all applicable policies and requirements regularly across all countries in which it operates. This includes data privacy and protection laws as well as regulations targeting BC/DR, among others.
Review back-up and recovery tools, technologies and approaches regularly: To ensure adequate support for data laws and regulations, organizations should analyze their storage, back-up and archiving approaches every year. This is essential for not only ensuring compliance but also for ensuring business planning and continuity.
Review your infrastructure for taking cost out through standardization, single instance, virtualization: In addition to reviewing core storage solutions in use, look to adopt a common storage platform for backup and archiving along with optimization offerings like data deduplication, single instance, virtualization.
Assess the impact of cloud computing and collaboration: Evolve effective information governance strategy that extend to support data stored off-premises. Organizations must ensure the data is stored and protected in a compliant manner regardless of whether the data resides in shared infrastructure or dedicated infrastructure.
The author is co-founder and managing director at iValue InfoSolutions.