Where to focus your compliance efforts
If you are in a big organization with operations in many countries running different applications on a variety of systems, how do you decide where to start in terms of compliant data management?
You will probably find it easiest to start where the business faces a compliance deadline or has recently experienced a costly litigation discovery effort. These events can motivate management to devote the resources needed to understand the problem, agree on policy and move forward with data management solutions.
One example, is the pending compliance deadline for the United States Health Insurance Portability and Accountability Act of 1996 (HIPAA)
security rule in health care organizations. This can affect patient records and billing systems, as well picture archive and communication systems (PACS) and other image-management and data communications systems.
Another example is the pending Sarbanes-Oxley Act (SOX
) deadline for CEO/CFO
certification of internal controls for financial reporting. Much of the detailed interpretation of the rules will be provided by the public accounting firm that audits the books -- and now must attest to the effectiveness of the internal controls. In terms of information technology, the auditors will likely focus on the financial accounting and ERP
applications -- and any related applications that help document the audit trail for the company's business transactions.
Since the regulations and the compliance
deadlines tend to differ from one country to the next, it may be possible to stagger the workload -- effectively addressing one area before moving to the next. To start with, focus on one business unit at a time; then replicate the process to other areas. Hopefully you can re-use the parts of the policy and architecture that apply. A single enterprise-wide policy is the more noble goal but very difficult to achieve -- especially for unstructured data -- unless you pave the way with smaller steps in that direction.
On the other hand, structured database applications -- such as ERP systems -- may represent an good opportunity for global consolidation
in response to operational needs as well as compliance requirements. Benefits include more consistency of the data, from one area to the next -- enabling data managers to more easily and quickly respond to queries without diverting a lot of time and effort to translating and reconciling data from different sources. Of course, the consolidated database is likely to be larger, so you might consider an application data archiving solution to reduce the cost and performance impact of global consolidation.
Ed note: If you would like to read additional compliance articles, opinions and expert advice, make sure to sign-up for our ALERTS on compliance. Click here to sign up. SearchStorage.com also offers alerts on low-cost storage.
Do you agree with this expert's response? If you have more to share, post it in one of our
This was first published in May 2004