With regulation, compliance and governance moving up the CIO agenda, what are the implications of requests like these for both outsourced storage service providers and their clients? Who holds accountability for maintaining or destroying data?
Aside from the immediate issues faced by News International and its service provider, this story raises valid questions about who is responsible for compliance in such situations. There are increasingly stringent legal requirements for certain information to be retrievable, and of course different industries often face additional regulation.
The issues become even more difficult when you factor in the cloud. With some providers, your data and backups may well be held offshore, and there are no common legal standards that guarantee the judiciary from one country can obtain information held in another.
With the cloud in particular, we believe there’s also a tendency to keep adding more and more data without ever considering deletion. As with traditional storage, cost savings can be made if data is prioritised and managed accordingly, so the important questions are not about technology, but about process and governance.
If you are outsourcing, you need to give extra consideration to what data is stored, where it is stored, who is liable for it and how you will audit it and demonstrate compliance if required. In our experience, responsibility for compliance has often been a grey area. Our advice to businesses is to make sure everything is spelled out in the contract you have with your provider.
Independent advice and governance around data management can help protect both clients and hosting companies as well. We typically ask questions around regulatory compliance when specifying client solutions. These days, even straightforward infrastructure provision contracts generally pass on some data protection liability to the service provider, especially where personal information is involved.
Well-governed outsourcing of data storage and management can improve the audit trail. Using specialists ensures the right data is backed up, encrypted, archived, retrievable and safe from hackers, and can help rectify problems with old, obsolete or unencrypted media.
It’s likely that service providers will increasingly find themselves responsible for compliance. With more and more services and applications being outsourced to the cloud, ability to demonstrate compliance may well be one of the main reasons companies will choose to outsource in future.
Steve Watterson is services director of Company85 and a BCS contributor.