Information Age: News, analysis & insight for IT & business leaders

Ensuring compliance with the continuous stream of new regulations that has appeared over the past four years has proved both complex and onerous for most organisations. But, while burdensome, such requirements are having a broad payback in terms of improved operational process and better data security and integrity.

That is the central conclusion of a recent survey on compliance management conducted by Information Age in association with recording media company Fujifilm (see feature 'Compliance perceptions'). Not only does good governance sustain the company's reputation and avoid fines or possible jailtime for senior executives when a breach occurs, but it ultimately provides a more accurate, reliable and trustworthy view of corporate activities.

The need for a structured approach to compliance management is emphasised by the sheer number of different pieces of legislation that can affect an organisation: large multinationals find themselves having to deal with hundreds of laws and industry regulations.

To add to the confusion, different national governments require the application of regulations in different ways. Italy for example has a much more stringent interpretation of the European Union Directive on Data Protection than the UK. And inconsistencies between the governance required in different industry sectors mean that a business that operates in the automotive and aerospace sectors, for instance, will find it needs to retain the same records in different formats and for different periods to satisfy the regulators.

Keep it safe

Clearly, there is no 'one size fits all' approach that can meet all regulatory requirements. Instead, many organisations have looked towards data and security management policies that provide organisation-wide guidelines for dealing with data.

Such policies are commonly based on information security standards, notably BS7799 or its international equivalent ISO17799. The value of these in providing benchmarks of good corporate housekeeping has been recognised by many organisations. "Involving senior executives will be easier if there's [such] an organisation-wide governance framework," says Carol Rozwell of analyst group Gartner.

However, relatively few organisations have the appetite to go through the laborious accreditation procedures required by standards. In these circumstances, documentation of processes is vital for convincing auditors of the validity of compliance efforts.

Keeping records today inevitably means the deep involvement of the IT department. A common theme running across most of the recent legislation is that regulators are looking for guarantees that data is securely stored, and, if needed, properly destroyed after a proscribed time. Certainly, the perception of IT's major contribution in achieving those aims is recognised: "IT [has a] role in ensuring that relevant information is available and can't be tampered with, but you must consider how IT support can be provided for all compliance needs, rather than implementing point solutions for specific regulations," says Rozwell.

Over time, the aim of compliance efforts should be to ensure that data is managed from the moment it enters the business to some future point when it is destroyed or archived. That can first appear onerous, requiring expenditure on technology capable of automating the whole information lifecycle process, but such investments should improve operational efficiencies, giving companies better quality data, ensuring that only important data is locally available and that data is stored only as long as the business needs it.

Even so, such processes can raise unwelcome questions about some current storage approaches. The practice of sending boxes of tapes off for storing in warehouses is not uncommon, but there is mounting evidence that those doing so take little heed to what happens to data once it is committed to tape.

In the future, regulators may be far more willing to investigate whether data integrity is checked over time or possibly whether the business can account for what information is held on its libraries of tapes. Organisations are still in the early stages of responding to this more rigorous era of compliance. And what happens next depends on how well businesses equip themselves to successfully meet existing regulators - and show the kind of self-discipline that will forestall further waves of regulations.