Is tape storage a viable option for GDPR?

Storing data for long term retention and occasional retrieval is an operational requirement for organisations of all sizes, this secondary storage has traditionally been stored on tape systems, via a secondary storage provider. However, this traditional view is now being challenged with the ever-increasing demands being placed on an organisation’s ability to retrieve specific data to meet regulatory and or information governance requirements, time is now the critical factor and not the cost of storage as the fines associated with non-compliance are about to get seriously eye watering.

BusinessCritical Blog Image Small.jpgTo retrieve data stored in tape storage is a multi-day affair consuming resources and time, while cloud archives can be accessed in a matter seconds. This has a major impact on the real purpose of archiving and backup, which is to get the data back quickly when local copies are not available, for example data lost in the event of a disaster, ransomware attack or when an information governance requirement occurs – data needs to be recovered quickly. Moreover, tape access is serial, while a cloud system can go directly to the needed object, this is not the case for tape storage. I believe the ability to retrieve in a timely fashion will bring about a shift in how traditional secondary storage strategy is implemented.

The main data challenge is to have the insight into what data you have so that you can retrieve only the data that’s required, in the shortest possible time. With greater insight organisations can save vast sums of money by not storing data that is redundant, obsolete or trivial (ROT), and what is stored, certainly in the case of personally identifiable information (PII) can be retrieved in a timely fashion to satisfy any information governance and regulatory compliance requirements, such as General Data Protection Regulation (GDPR).

Tips for Optimising Secondary Storage for regulatory compliance

  • Firstly, gain a common understanding across the organisation of Information Lifecycle Management (ILM) and develop a high-level business justification as to how the practices can provide tangible business benefits.
  • Understand your current applications and datasets, against regulatory and compliance requirements, as well as reviewing existing policy and procedures related to ILM including and developing enhancing these where appropriate. These may include for example:
  • Data management policies – information and security classification, retention and deletion
  • Application development policies – to ensure procurement or development of application aligns to the data management policies and exploits the capabilities of the storage technology, for example, selection of appropriate storage/archive tier.
  • Storage policies – defining where data types should reside and the performance characteristics of each tier.

The approach would be to undertake a discovery activity to gain the information required to address the points above, then undertake an opportunity assessment to determine the areas of risk priority verses high/low return on investment.

Focus on the application development space as this will help ensure that all new applications are developed or purchased with retention and regulatory requirements built in.

The bottom line is that for most users, we’ve reached the point where the tape storage cost advantage has been supplanted by the need to satisfy the data regulatory requirements and time is now the compelling driver not cost. How are you dealing with your secondary storage strategy? Do you need some help and guidance on effective information governance? Then get in touch with me.