Features
Bryan Balfe, CommVault
New laws in South Africa will compel companies to manage their data properly. But there’s almost no guidance on how to proceed.
Sooner or later, someone in your organisation is going to say: “We need to be compliant.”
The first question to ask is: “Compliant with what?” The ECT Act is a typical answer but the Protection of Personal Information Bill will soon be another good one. PPI’s goal is “to promote the protection of personal information processed by public and private bodies and to introduce information protection principles so as to establish minimum requirements for the processing of personal information”, according to the preamble.
Kendall Watt, Mimecast
“I’ve read through it because I have to understand it on behalf of my clients,” he says. “My first response to them is you need to understand your own business first. Businesses need to understand what information they have. Once they know that, only then can they understand what legislation is relevant and how it will affect them.”
Bryan Balfe, business development director at CommVault, says there are two wrong approaches to the legislation.
Charles de Jager, SAP
Kendall Watt, presales engineer at Mimecast, says this is because of a lack of guidance.
“A number of our customers are frustrated by the fact that there are no clear guidelines about what they need to follow,” he says. “The ECT Act doesn’t actually speak directly about records retention periods, for example, and customers don’t know where to turn. There are a number of ICT lawyers out there but the customers don’t know about them so they’re asking their vendors and partners about how long they should be storing information.”
Half the trouble is that this isn’t a technology problem.
“There is a lot of technology out there and a lot of people think that if they install a certain piece of technology, they will be 100 percent compliant,” notes Charles de Jager, solutions specialist at SAP. “But there isn’t a magic button. There isn’t something to buy off the shelf to do that. Gartner has said manage information and not technology. We spend too much time worrying about hardware and software and we haven’t concentrated enough on what our information really is and how it should be classified. It’s not about data warehousing or BI but rather ‘what is information management?’.”
Keith Goosen, EOH Consulting
The e-mail question
How long should I keep my e-mails?
It’s one of the simplest questions to ask – and one of the most reasonable for a business person – but one of the hardest to answer. Chris Hathaway, director of Soarsoft Africa, says the key question is really what business process is being done via e-mail.
“Do you even need to keep e-mails?” he asks. “Very few companies can say that they don’t transact some form of business via e-mail. There are various sections of information inside an organisation and they all need to be tackled in different ways. I still see a huge divide between IT and business. I get requests daily: how do these products comply with these new pieces of legislation? My answer is always: people, process and, lastly, technology. While technology is a great enabler (although not a silver bullet), it’s the hard yards that have to be done by the business.
“Ironically, one of the most important uses of technology is getting rid of information in a controlled and guaranteed way. I work quite a lot with archive solutions but, actually, people are using them, not to keep information, but to get rid of it.”
Watt says classification needs to come first.
Paul Walker, Informatica
The answer to the e-mail question could be as simple as deciding not to conduct business via e-mail, says Balfe.
“You have to have business and IT working together to come up with what the data management strategy is. The strategy could well be to pay no heed to a particular piece of legislation. Sarbanes-Oxley in the US is a good one because it’s the one with the most teeth but also the least guidance. It says, ‘Tell us how you do stuff and we’ll assess whether you do what you said you were going to’. So there’s a potential for interpreting some of the bills coming through now and saying, ‘Okay, we’re simply not going to communicate critical information via e-mail. Therefore, we don’t need to back it up.’ The pharmaceutical companies figured this one out a long time ago. That is a policy on which they can be assessed.”
Even then it’s easy to make disastrous mistakes. Balfe says that all too often, companies deal with these kinds of issues point problem by point problem, piece of technology by piece of technology.
“We’ve all seen people deploy best of breed e-mail archiving solutions and then not back up the archive. You can do everything correctly – buy the best archiving solution and the best backup solution – but then not marry the two together. That’s not a happy place to be if your job title is head of risk or, worse, IT director.”
Gerrie van Gaalen, Van Gaalen Attorneys
“This happened to Morgan Stanley where a judge awarded $1,6 billion against it because it couldn’t produce a set of e-mails,” he says. “Obviously, the cost of compliance is going to be a lot less than that.”
Sometimes it’s a combination of lip-service compliance and the cheaper technology option.
Comments Walker: “I was talking to a telco recently that has call records on a tape library. It’s just about to get rid of the tape library system so in the future, there will be no way of getting hold of any of that information. It’s theoretically possible to get it but they don’t really know how. I see this sort of thing all the time.”
Keith Goosen, managing consultant at EOH Consulting, agrees that the business has to be involved from the very beginning.
“There are technology solutions and that type of thing but the key thing is that inside an organisation is a thing known as governance and that comes from the business side. Now if I’m going to do something at the IT level and I don’t have representation at the board level, the chances are that enforcement won’t happen. What is the objective of the organisation? What are the terms you define and the policies? Those have to be hand in glove with the activities that would then define the compliance. Current legislation is a whole plethora of common law and bits and pieces of the ECT Act.”
Technology-neutral
Chris Hathaway, Soarsoft Africa
“It’s important to understand why certain legislation has been put in place and it’s much bigger than trying to revolve a single issue here and there. It’s to do with globalisation. India is a good example. It had a very strong call centre industry but it had a problem transferring information back to the US and Europe because of its laws. So India changed its legislation in line with the principles in Europe so that information could come in. The same thing is happening here.”
That may be small comfort for the retailer struggling to make sense of what his business should and shouldn’t keep in its database but Balfe says legislation has had some positive effects, albeit unintended.
“One thing that has come into being directly as a result of Sarbanes-Oxley is the notion of disclosure. We at least now have people willing to say they’ve made a mistake, how it happened, why it happened and the steps they’re taking so that it doesn’t happen again. Just to get a culture of being responsible for data will come more from fear of being put in the papers. The PPI is the one I find interesting in this country. People don’t really care about legislation but they do care about the sales value of the data. PPI asks, ‘Why do you have that data in the first place?’ Why does a gym need my driver’s licence or need to know where my kids go to school? All of these fragmented bits of legislation seem to be a bit of an a la carte menu for good governance. The underlying need to be able to prove that we run ethical and good businesses will stay no matter what technology we’re running in the future.”
Companies would do well to start there, no matter what technology they have in place. It’s going to change anyway. But the need for good governance won’t.
