3 Keys to Data Compliance Management with Shifting Regulations
Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. In this feature, Veritas Technologies General Manager Ajay Bhatia offers his essential keys to data compliance management during times of shifting regulation.
The complicated landscape of compliance standards in the United States is increasingly difficult to navigate for organizations and IT leaders. With constantly evolving state laws and rumors of an imminent federal bill, organizations have been fighting for nearly a decade to keep up with the ongoing changes while managing their exponentially growing data.
To help add clarity to privacy regulations, California passed the California Privacy Rights Act (CPRA) to amend the California Consumer Privacy Act (CCPA), a law that was notoriously vague on topics like sensitive data and the Right to Access, Deletion, and Correction. With the CPRA officially operative as of January 1, 2023, organizations have until July, when the order becomes enforceable, to become compliant before they expose themselves to significant penalties.
While ensuring compliance can be complex in any situation, it becomes even more complicated in multi-cloud environments. As organizations expand into new cloud environments to manage huge amounts of data, keeping track of what is being stored becomes even more difficult. In fact, it is estimated that more than half of a company’s data is dark, which means it might not be business-critical or useful for decision-making. What’s more, automated backup policies, which are popular to ensure compliance, can also result in the redundant storage of unnecessary data, adding another layer of data for IT professionals to sift through.
Keys to Data Compliance Management
So, how can IT teams address noncompliant data and avoid the large financial penalties and reputation damage that threaten organizations if they are fined? The answer lies in three key steps:
- Identifying and categorizing data
- Automating a classification system
- Democratizing data classification
Step 1: Identifying & Categorizing Data
In addition to costing an average of $26 million in storage expenses a year, dark data poses a significant risk to an enterprise’s compliance efforts due to the high amounts of personally identifiable information (PII) that may be unaccounted for. This is especially true as distributed workforces rely on data sources like Zoom and Teams recordings that could mention PII but can’t be identified using traditional categorization methods without a transcript.
To prepare data in the cloud for compliance efforts, IT teams must sift through their full catalogue of data – including video and voice recordings, internal messaging chats and traditional data files – to identify correct data categories: business critical, useless or even noncompliant. Once this data is identified and sorted, IT professionals can make more informed decisions about usefulness of the data and if it can be archived or deleted.
Step 2: Automating a Classification System
Once noncompliant data has been located and properly categorized, IT leaders can begin to further evaluate and streamline their data. According to WEF, the world will produce data at a rate of 463 exabytes per day by 2025. To appropriately classify and manage the massive amount of data created, IT teams will need to utilize artificial intelligence (AI) and machine learning (ML) strategies to effectively create and maintain a classification system that organizes their information efficiently.
Once established, an automated classification system can allow IT teams to easily resurface essential data, minimizing the amount of time that employees spend locating, classifying and sharing data on short notice. Employing autonomous strategies can also streamline decisions on whether to keep or archive data, outlined in step one, and significantly reduce enterprise IT operations costs due to its capabilities in visibility, reliability, security and scalability.
Step 3: Democratizing Data Classification
Once data is identified and classified, IT teams need to initiate a forward-thinking strategy to get ahead of data that’s created in the future. As data is democratized across a business, it’s important that classification spans beyond the IT team to the employees creating the data. Automated classification systems make this process easier so that an organization isn’t relying on the subjective opinions of its employees, instead relying on an automated system that classifies based on organizational rules and requirements.
While some manual oversight is still required, democratizing data classification can take the burden off the IT team alone. This combination of manual and automatic policies will encourage a long-lasting, efficient strategy in which the entire organization is involved, and remove the solitary burden of data management and compliance from IT leaders.
While the steps to addressing compliance in the era of the CPRA may seem costly and complicated, the benefits stretch much further than simply avoiding fees and a corporate reputation nightmare –spanning cloud budgets and sustainability efforts. Think of the CPRA – and all privacy regulations – as a spark to ignite a mindset shift across the enterprise. As IT leaders act on that spark internally, it provides an opportunity to keep streamlined data management practices top of mind to reap the benefits across the organization.