Vendors are making noise about regulatory compliance and data retention. While the topic may be surrounded by hype, however, the implications for the end user are all too real. This was the message conveyed by Richard Scannell, vice president of corporate development and strategy at GlassHouse Technologies Inc. when he shared a life science industry case study on compliance recently with Storage Decisions attendees.
"Vendors have found their next Y2K," Scannell said. "This is the fear and terror they've put into the hearts of CIOs to say: 'If you don't get compliant, you're going to jail.'"
Despite the vendor hype, Scannell told attendees that regulations are front and center for a lot of industries. He also noted that many -- including those in IT -- are ill-prepared for the coming onslaught.
One problem he noted was the fact that compliance failures are well publicized while successes go largely unnoticed. "There's not a lot of information about who's good at this and who's bad at this."
Scannell said one of the key things you should understand is who the regulators are for your industry and why they exist. He also stressed the importance of understanding more about the business lifecycle of your company's data.
What advice could he offer the IT managers and staff in attendance? Start by classifying your company's data in two ways -- validated or non-validated, he said. In other words, identify data that needs to be regulated versus data that does not.
Scannell outlined the classification process further as follows:
- Define classifications.
- Monitor and map the data's location in the business lifecycle.Define data requirements and attributes.
- Set policies around storage, including backup and restores, archiving, security and change control.
In short, users need to move from a focus on just technology management to one of effective process management, he said. There is a business case in every industry related to regulatory compliance. The expectation is that companies will implement global procedures. These procedures, in turn, will have major IT implications.
Perhaps most important to regulatory compliance, he noted, is building an audit process to test how well the data can be traced or retrieved.
"Regulations don't say, 'Do A,B, C and D and you'll be compliant.' You have to tell the regulators what you are going to do and then show that you do it."
Ultimately, Scannell said regulations are all about interpretations. "There are no rules. [The regulators] give you a pad on which to write your own destiny."
Presentation slides and other links to the full session proceedings are available here.
About the speaker: Richard Scannell is the vice president of corporate development and strategy at GlassHouse Technologies, Inc. Scannel is a frequent speaker and featured columnist in such publications as Storage magazine, Intelligent Enterprise and Byte and Switch. Prior to GlassHouse, Scannell headed a $30 million global IT organization supporting a $10 billion sector of Motorola with operations in Chicago and Scottsdale, Ariz. While there, he managed 160 IT engineers and ran a 24x7x365 operation with 25,000 sq. ft. of data center under his supervision, encompassing storage products from most of the major vendors in industry in SAN, NAS and DAS configurations.
This was first published in September 2003