Companies are facing increasingly complex regulations that are also growing in number and scope, as regulatory frameworks continue to catch up with the rapid speed of data creation and technology changes.
“When it comes to assessing compliance with data privacy and protection regulations, the General Data Protection Regulation (GDPR) is likely to be used as the gold standard, as it is probably the world’s most expansive data privacy law,” says Ravi Rajendran, managing director for Asia South Region, Veritas, in an email interview with Networks Asia. “Given the long arm of GDPR with its extraterritorial scope, businesses in Singapore should not be so quick to dismiss the regulation.”
According to an earlier Veritas GDPR Report, 56% of respondents in Singapore fear they will be unable to meet the GDPR regulatory deadlines, way behind their global counterparts in terms of GDPR readiness.
In Veritas’ latest Value of Data Study, nearly one quarter of the respondents in Singapore said that their businesses were exposed to compliance and regulatory fines as a result of data management challenges, higher than the global average of 18%.
Excerpts of the Q&A follows:
1. How ready are local businesses for local and international standards of compliance?
When it comes to assessing compliance with data privacy and protection regulations, the General Data Protection Regulation (GDPR) is likely to be used as the gold standard, as it is probably the world’s most expansive data privacy law.
Given the long arm of GDPR with its extraterritorial scope, businesses in Singapore should not be so quick to dismiss the regulation. According to an earlier Veritas GDPR Report, 56% of respondents in Singapore fear they will be unable to meet the GDPR regulatory deadlines, way behind their global counterparts in terms of GDPR readiness.
In our latest Value of Data Study, nearly one quarter of the respondents in Singapore said that their businesses were exposed to compliance and regulatory fines as a result of data management challenges, higher than the global average of 18%.
Singapore is an open economy with global trade linkages. Local businesses with operations or dealings in external markets will need to comply with the different data privacy laws, such as The California Consumer Privacy Act of 2018 and Notifiable Data Breaches scheme in Australia. It is certainly an ongoing journey for local businesses towards both local and international standards of compliance.
2. Given the time frame allocated, if they aren't ready, why is this so? What have they been spending on instead?
Companies are facing increasingly complex regulations that are also growing in number and scope, as regulatory frameworks continue to catch up with the rapid speed of data creation and technology changes.
A case in point would be the GDPR, which requires organizations to be able to locate, search, minimize, protect and monitor any and all personal data they collect about EU residents. The sheer scale and scope of complying with the GDPR is enormous. For example, EU residents can request to see all their personal data and ask that it be corrected, moved or deleted. Organizations are required to respond quickly to such requests, while also keeping personal data for a stipulated time related to the reason it was collected for. Besides protecting personal data from damage, loss or breach, the rules also require companies to notify authorities within 72 hours and provide specific details about the breach.
According to our survey findings, many organizations don’t have the proper technologies and resources in place to meet such stringent requirements. In fact, 34% of global organizations (44% in Singapore) surveyed say their organizations lack the right skills and technology to harness the power of data, hindering their ability to search, discover and manage data effectively.
3. How are they looking at data classification wrongly?
Data classification helps organizations understand the key questions related to data – spanning from understanding what data they have, where data is located, the age of data, who is accessing the data, data retention period to how data is protected and whether it is adhering to compliance regulations.
When it comes to data classification, the lack of a strategic mindset has led to data being treated roughly the same, and organizations do not have an in-depth understanding of their data. For example, organizations could lose sight of which are the latest copies of financial statements or a specific customer’s data. In many instances, these are important requirements for overall risk management, data security and compliance. However, the process of classifying an organization’s entire volume of data can often run into obstacles due to lack of full visibility, insights and well-defined policies.
4. What should they be doing and considering?
With the exponential growth of unstructured data, organizations have inevitably been storing information across different IT environments, be it on-premise or in the cloud. For any compliance strategy and data classification initiative to be successful, a holistic and integrated approach should be adopted.
Locate
The critical first step is gaining a holistic understanding of where data is located. Next, organizations need to identify what types of data will be relevant and important, whether there is a need for compliance regulations in the classification phase.
Minimize
Upon building a data map of where information is being stored, who has the right to access it, how long it is being retained and where it is being moved, organizations should have a view to delete what data is no longer needed as part of the data minimization. This is done by keeping data for the period of time directly related to its original intended purpose. The enforcement of retention policies that automatically expires data over time is a cornerstone of any compliance strategy. More often than not, data has accumulated over many years and in many instances no longer needed.
Risk factors
De-structured data that originates from a structured source but exported into files such as spreadsheets and text files, can pose quite a risk. External applications which contain personal data are highly likely to generate significant amounts of personal data in unstructured locations. This type of data can accumulate and become forgotten about as individuals leave or move around the organization; but the risk remains. This underscored the need to understand where personal data is stored in structured locations because it will inevitably leak out into the unstructured locations.
User behavior is another critical element in managing data and compliance risks. Based on a Veritas GDPR Project, classification showed that users will often store files that are considered to be business records in their own personal drive. This is not really a technology problem but a case of poor data habits. With increasingly stringent data regulations in place, it is timely to train, educate and improve the culture of an organization on how data should be managed. This is an effort which requires ongoing data classification to measure improvement.
The Value of Data Study reveals that there are several key areas that organizations could improve on:
- Ensuring data compliance (Globally: 83%, Singapore: 94%).
- Data security and managing risks (Globally: 82%, Singapore: 93%).
- Level of data visibility and control (Global: 80%, Singapore: 89%).
- Processes for data recoverability from data loss or a ransomware attack (Globally: 71%, Singapore: 91%).
- Data sharing practices across business functions (Globally: 78%, Singapore: 92%)
According the survey findings, we can see that organizations in Singapore acknowledge that they have more room for improvement in comparison to their global counterparts for day-to-day data management.
5. If they strive to meet local standards, will this also provide coverage for standards like GDPR?
Globally, there are different data privacy standards with varying levels of maturity and requirements, some could be more onerous than others. For instance, the GDPR is widely seen as the world’s most sweeping data privacy law.
For local businesses, it is critical to be mindful that complying with local standards such as the Personal Data Protection Act (PDPA) do not imply coverage for other standards such as the GDPR, The California Consumer Privacy Act of 2018 or Cybersecurity Law in China.
For instance, there is one key difference in terms of consent between the PDPA and GDPR. While the PDPA prohibits organizations from collecting, using or disclosing personal data unless the data subject gives consent for the collection, there are exemptions where consent is deemed to have been given, where consent is not required, such as for any investigation or proceedings by the organization. However, under the GDPR, consent must be clearly obtained without exemption, and is usually limited, and strictly defined.
6. There is talk of appointing a compliance or data officer. Is this now the new norm? How should data be viewed?
According to the 2019 annual survey conducted by NewVantage Partners, there is an increase in the number of chief data officers (CDOs) across organizations. However, key challenges remain despite having more CDOs on board. For instance, there appears to be a profound lack of consensus on the nature of the role and responsibilities, mandate and background that qualifies an executive to operate as a successful CDO.
For many organizations, there are confusion on who should be responsible for data. Executives tend to assume the CIO or CDO is the key person to be responsible for data and compliance, while the CIO or CDO will look right back at them. To be fair, this is very much cross-functional. This cross-functionality implies a change in mindset where organizations are building up a culture of compliance and data governance. Dealing with data is no longer the work for just the CDO or CIO, but a combination of all departments.
7. How should it also be protected? What are we lacking now?
Note: In the context of our latest survey, data management is an umbrella term that encompasses several key capabilities, including data protection, data resiliency and data compliance.
The exponential growth of unstructured data has led to organizations storing information across a variety of different environments, spanning from on-premises, cloud to mobile devices. As data becomes more siloed and sprawled, it is tougher to see, manage, access and protect, creating significant challenges. While most organizations would probably have data backup and recovery solutions in place, many lack full visibility and insights of the types of data generated and stored to effectively unlock the value of data.
Notably, there are some common issues that organizations need to tackle. For instance, 21% of the global organizations (Singapore: 25%) do not know where data is located. Such visibility is essential in determining how best to manage all your data and build the relevant policies to achieve this. Globally, 35% of organizations say that there is a lack of centralized strategy to data management. In Singapore, 44% of organizations are faced with the same issue. Furthermore, 26% of global organizations and more than one-third (34%) in Singapore cited the inability to back up and recover data reliably as another key challenge.
8. Are we collecting it from enough sources and are we analyzing it the way it needs?
According to the Value of Data Study, 40% of the respondents globally and more than half (52%) in Singapore – the highest among all the surveyed countries – say that there are too many different data management tools and systems in place, both legacy and new. At the same time, organizations are finding it increasingly challenging to deal with data sources. 38% of the global organizations say they are having too many data sources that are difficult to analyze. In this regard, close of half (49%) of organizations in Singapore faced the same challenge.
The vast amount of data collected pose enormous risks and challenges to organizations globally. According to an earlier Veritas Global Databerg Report, global organizations hold on average 52% Dark Data, 33% ROT (Redundant, Obsolete and Trivial) and just 15% was identifiable as business-critical data. If left unchecked, this could equate to $USD 3.3 trillion of avoidable storage and management costs by 2020.
Unfortunately, everyday attitudes to data and behaviors at the strategic, organizational and employee levels are causing the dark data and ROT levels to increase. These include strategies and budgets based solely on data volumes, rather than value of data and misperceptions such as storage is relatively free, especially on cloud. It is essential for organizations to eliminate dark data to reduce risks, gain insights from critical data to drive the business forward.
9. Are we holding back ML and AI with legacy approaches to data?
As businesses are continuing to adopt more complex IT environments, such as hyperconverged infrastructures and other modern workloads, data protection will also need to adapt, or risk holding back ML and AI with legacy approaches to data. AI consistently learns from the system as these dynamic IT environments adapt and change.
At Veritas, we adopt the stance of using AI and ML to improve the reliability and portability of our solutions, to provide customers with an enriched support and user experience. Our recent offering – Veritas Predictive Insights – as well as the latest acquisition of APTARE to enhance the analytics, reporting and protection of data, is a testimony of our ongoing commitment to innovation.
Today, most IT managers are taking a rearview mirror approach when reacting to unplanned downtime caused by interruptions related to software or hardware error, component failure or something even more catastrophic in the data center. Incorporating predictive technologies will enable proactive monitoring for downtime and faults so IT managers can take preventative action before a disruption ever occurs. Being more prescriptive can lead to fewer disruptions and less downtime in operations.
More frequently, AI is enabling predictability and will play a key role in data protection in 2019 and in the future. Data protection stands to benefit the most from AI enabled predictive insights by reducing risk to data in a power disruption. With regulations such as GDPR guaranteeing data protection for users at a business’s expense, it is becoming increasingly important to keep data under lock and key.
In Singapore, the Personal Data Protection Commission (PDPC) has recognized the benefits of AI and is also taking strides to ensure that both businesses and the public are well educated about the AI value chain (Developers, Businesses and Consumers). On top of this, they have also developed an AI governance framework which will consider important issues in the commercial deployment and adoption of AI in Singapore. Proactive strategies to avoid the repercussions of even a moment of downtime will be critical for businesses in 2019 that need to provide round-the-clock data support.
10. Are we backing it up and storing it correctly?
If we use the costs associated with ineffective data management as a proxy, it is reasonable to assume that we have a long way to go when it comes to backing data and storing it correctly.
Globally, organizations estimate that they lose over USD $2 million per year as they struggle with data management challenges. [Singapore: USD $2.66 million]. At the same time, respondents globally (including Singapore), highlighted that employees waste two hours on average per day searching for data, resulting in a 16% drop in workforce efficiency.
There are wider consequences of poor data management. Over one-third (35%) of global organizations admit to losing out on new revenue opportunities and the percentage is even higher in Singapore (45%). 39% of respondents globally say their data management challenges have caused an increase in operating costs and 43% of organizations in Singapore suffered from the same. From the business perspective, organizations are also losing out in terms of productivity, with 37% of respondents globally and more than half (55%) in Singapore saying that they are missing their efficiency goals.
11. Is the cloud replacing tape? Will it ever replace tape?
Tape continues to be a staple for two key reasons. Firstly, it is the lowest cost storage media and businesses seeking cost-effective measures to achieve regulatory compliance will still turn to tape. Secondly, as tape is stored offline, it is proving to be a less risky option as organizations are facing enormous and yet ever-changing cyber threats. In fact, based on the survey findings, 37% of the organization data is stored on-premises globally. In Singapore, we are seeing a similar trend, with 36% of data located on-premises.
However, cloud has replaced tape as the preferred storage media and continues to grow in popularity. In Singapore, 51% of the organization data resides in public and private clouds, slightly above the global average of 48%.
12. In 2019, where should we be headed and what should we expect to see happen with our data?
As we navigate our paths in 2019, the technology market will continue to transform and adapt to new customer demands. In particular, IT and data companies will be collecting, analyzing and providing insights about vast volumes of data – more so than ever before.
Businesses in Singapore and across the region will need to start thinking about the future of how they perform these tasks, and how to take advantage of new solutions that can make the jobs and lives of the people responsible for these tasks easier. New solutions can also guarantee more security and reliability, enabling better relationships with customers. This is especially pertinent for Singapore as it plans to reinvent and digitally transform 23 sectors that cover about 80 per cent of the country’s economy.
In particular, data and IT staff will need to leverage technologies that enable machine learning and predictive insights – to know how or when to upgrade technology and ensure business continuity.
Today, we are living in an era where a strategic and holistic data management approach is essential for growth. With the soaring growth of data, the ability to manage data effectively – from collecting, storing, analyzing and utilizing this data – will inspire innovation and in turn, help businesses to capitalize on their data.
To achieve this, organizations can consider a new approach of managing data with data, in an integrated three-step process:
- Classifying data. Classifying helps enterprises understand what they have, where it is located, who is using it, the number of copies that exist, if it’s valuable or not, and more.
- Enabling policies. Organizations can use the insights gained from data classification to intelligently understand, protect, and maintain their data.
- Automating. With every petabyte of enterprise data, there are roughly three billion files – beyond human’s capacity to manage it. Automation, through means of artificial intelligence and machine learning, can take on the tasks that an IT workforce cannot and will further unlock the capabilities of an organization’s data.