What is regulatory compliance?
Every organisation is bound by applicable laws, policies and regulations. Failure to adhere to, or comply with, these could result in fines and prohibitions, in other words ‘significant business impact’. Regulatory compliance is simply unavoidable, and the best we can do is to stay compliant. Most messaging regulatory compliance laws require retention of emails, and below are a few examples of such regulation:
| Compliance Law | Region | Retention |
| Payment Card Industry – Data Security Standards (PCI – DSS) | United States | 1 year |
| AICPA – Generally Accepted Privacy Principles (GAPP) | United States | Retain PII until no longer required |
| Australian Essential 8 (ACSC 8) | Australia | 3 months or more |
| Data Protection Act (DPA) | United Kingdom | Retain PII until no longer required |
| Sarbanes Oxley (SOX) | United States | 7 years |
| Bundesdatenschutzgesetz (BDSG) | Germany | Retain PII until no longer required |
While the above list is limited, there are innumerable laws which apply to industries in different regions. Moreover, businesses could be subject to compliance with multiple laws, which is certainly the case with multinational organisations.
How should you choose a solution and retention strategy which addresses compliance, and caters to longer-term requirements? Here are a few pointers:
1. Start by evaluating your compliance requirements
2. Evaluate an appropriate email data governance solution. A few examples are below:
a. Journaling – A concept of storing a copy of every sent or received message
b. Archiving – This involves storing a copy of all messages on inexpensive storage and retaining the same for a predefined period. Examples include solutions like Veritas Enterprise Vault, Mimecast, Commvault
c. Retention – This concept reduces the need to move data to a different location, but rather assigns a retention tag to the data at source. Examples include retention solutions for Microsoft Exchange, O365, Google Vault
3. Consider an eDiscovery solution – Data must be produced anytime when requested. However, this is something many organisations do not plan for, thus facing huge eDiscovery costs coupled with fines. It is imperative you plan for this in advance, and preferably leverage an email retention solution which includes eDiscovery (at least as an available option). You may consider solutions from Veritas, Proofpoint, Barracuda, Mimecast
4. Reduce complexity – I have seen organisations rely on a combination of multiple solutions to address their retention and eDiscovery requirements. While this does address the problem, it adds a lot of management overhead and complexities. Hence, it is advisable to consider a wholistic solution which addresses all of these requirements. A few examples are O365 Compliance model, Veritas Enterprise Vault Cloud, Mimecast etc.
How can Insentra help with messaging regulatory compliance?
We are specialists in security solutions and our proven project methodology will help us (and you) understand your requirements better, thus mapping them with your long-term compliance goals. Please feel free to get in touch with Insentra to know more.
