UK FIRMS RISK BIG FINES BY FAILING TO PREPARE FOR NEW DATA LAWS

The majority of UK firms are risking heavy financial penalties by failing to prepare for the complex and growing number of regulations surrounding the issue of data storage compliance, according to new research commissioned by data storage vendor Adaptec.

The survey questioned IT directors from 100 UK-based organisations about their attitude towards, and their readiness to address, new data compliance legislation. It found that 85 per cent of them have never received formal training on how to comply with data storage legislation that could impact their business.

The research also found that 36 per cent of IT directors could not confidently advise their CEO on how long their company is legally required to store its business data. Compounding the issue, more than half (53 per cent) of IT directors were unable to confirm whether they even had a policy that addressed how long they should store company emails. Almost as many (47 per cent) said that they could not retrieve a company email from more than three years ago while 37 per cent conceded that they had no email storage policy at all.

UK businesses are under increasing pressure to ensure they comply with laws that affect how they must store and be able to retrieve data. They range from Sarbanes-Oxley, through to the Basel II Accord and the recently updated Combined Code, to name just a few. The consequences of failing to comply with these new laws typically include heavy financial penalties although in some instances they can lead to the loss of an operating licence and to criminal proceedings.

In the case of the financial industry the Financial Services Authority (FSA) requires all UK financial institutions to store all business email for up to six years. However, 25 per cent of companies surveyed from the financial sector confirmed they could not retrieve an email from more than three years ago which indicates they would be in breach of FSA requirements. In addition, 35 per cent said their company either had no policy for how long emails should be kept or they did not know what the policy was.

Russ Johnson, Adaptecs European managing director, says One reason why compliance training among IT directors is so woefully inadequate is that, while theyre aware of emerging compliance issues, its often unclear where the responsibility for compliance falls within the organisation. Despite this lack of clarity, its essential that the IT department knows exactly where and on what type of media their corporate data is stored as well as how long it needs to be archived.

A lack of clear guidelines to help firms comply with data storage legislation has further compounded the issue, with UK organisations being affected by over 120 new and existing laws related to data storage and retrieval.

Data compliance, however, is not simply about how long an organisation retains its data. One aspect that the UK data laws have in common is the requirement for businesses to be able to quickly find and retrieve the stored data. A comprehensive data compliance strategy that meets these needs can put UK firms in a far stronger position to respond to data requests from regulatory agencies, end users and auditors within an acceptable timeframe.

It is a fact of life that most organisations are involved in legal action of some kind at some point in time. However, the inability to produce court-ordered documents, not just email but all material data, because of a lack of appropriate data storage practices is no longer considered an acceptable legal defence. By complying with these new laws UK firms will put themselves in a better position to protect themselves, added Johnson.

One IT director firmly addressing the compliance issue in her workplace is Lorraine Dotchkin, director of IT at J Keith Park & Co, a specialist litigation firm in Manchester with about 150 staff. She implemented a data storage solution that manages more than 60,000 live client cases on any given day. The main driver was compliance.

For the legal industry, UK laws and regulations state that archived client data needs to be kept accessible for 12 years after a case has been completed, explains Dotchkin. Our strategy has been to ensure that our IT department works closely with our executive management team to ensure our systems and processes are fully compliant with what the law states.

The research was commissioned by Adaptec and conducted by independent research company Vanson Bourne.