The Digital Tipping Point

Posted 01/11/2018 by Commvault

This is the fourth blog in a six-part series. Catch up on previous blogs.

How a combination of business and regulatory upheaval have brought IT to a tipping point in acting on data

A combination of a dramatic change in business requirements, coupled with regulatory upheaval - embodied by the coming General Data Protection Regulation (GDPR) - is taking IT organizations to a tipping point where they must take a much more proactive approach to understanding and managing their data.

The current state of data in the enterprise

For years IT (encouraged by falling storage costs), has taken a relatively low-touch approach to the management of data, with most organisations taking the view that keeping data is less expensive than managing it proactively. This was mirrored by a relatively low-key approach to data privacy regulations in most countries around the world.

Over time IT has created numerous copies of data for protection and governance purposes. This has been matched by a trend of increasing the volume of copies used to gain insights from data. Analyst research on Copy Data Management1 shows that 45-60 percent of total storage capacity consists of ‘copy data,' whilst 82 percent of those organisations surveyed have at least 10 copies of each database.

These statistics illustrate how, over time, copies of data have increased based on a variety of use cases. Test, development, business continuity, operational recovery and analytics have all spawned multiple copies of data, each with its own discrete set of supporting infrastructure. Of late, the shift to digital business has increased the requirement for the business to inspire high levels of customer trust combined with a regular supply of fresh business insights. For IT to ensure that trust is maintained means continuous service delivery, which in turn relies on copies of data for failover and recovery purposes.

One of the most intractable problems is the number of discrete backup/recovery, retention and compliance products in the enterprise. The same analyst research showed that, on average, each enterprise had between five and 10 different Products installed with up to 50 potential data copies. This clearly presents a significant burden to IT - with many discrete points of monitoring, management and reporting - each of which also presents another potential entry point for a cyberattack.

Traditionally, IT has typically taken the position that it is too costly and risky to consolidate data operations, such as backup/recovery, archive and snapshot management. That argument is much harder to make today when you consider the data management requirements of GDPR and the demands of digital combined. Today we can make the case that the cost and risk in not acting may well be higher than the risk of acting for many organisations.

GDPR changes the rules

Most organisations now have high volumes of relatively loosely-managed data that includes large numbers of copies and replicas. Unstructured data (such as files and email) is particularly problematic as it, unlike databases, is not indexed. This makes both the data classification and privacy impact assessments required for GDPR extremely challenging to conduct. In short, GDPR changes the rules of data and storage management.

The requirement for each business to know and manage personal data means that businesses must know their data overall in order to determine what data is personal and subject to the GDPR regulations. GDPR’s strict breach notification rule means that organisations also have to determine the nature of the breach, its scale, who has been affected, and how it occurred within 72 hours for notification purposes. A rising tide of cyber-attacks means the risk of a breach is significant and increasing, and tighter data management is an essential part of any plan to remediate those risks.

GDPR as a catalyst for change

Instead of treating GDPR as an investment with little in the way of return other than compliance, it is far more proactive to build a GDPR plan that will address its demands whilst simultaneously equipping the company with a better set of data capabilities. As one CIO said at Gartner Symposium 2017, “I do not see GDPR as a problem; I see it is a catalyst for change.”

Taking a shared services approach to data across the spectrum of business requirements (protection, governance and usage) rather than tackling them discretely is likely to result in a set of capabilities that will serve the organisation more broadly and actually assist with digital transformation.

1 IDC: Copy Data Management, 2017