Unstructured data not exempt from compliance requirements
Concerned about regulatory compliance? Data protection teams must be familiar with all regional and industry regulations to back up unstructured data in a compliant manner.
Compliance regulations put the pressure on organizations to retain and manage data or else risk heavy fines. Unstructured data, as messy as it can be, is not exempt from such requirements.
Organizations should evaluate their backup and data protection strategies with an eye toward unstructured data compliance. As a general rule, regulated organizations should use a continuous data protection tool to back up unstructured data anytime it is modified. Data retention is a huge part of unstructured data compliance. An organization must enable versioning support to make sure all previous versions of a file are retained within the organization's backups for as long as required by law.
To ensure proper unstructured data protection, backup teams must not only understand the location of different data types, but they must also determine which compliance requirements surround that data. Major regulations to understand include the following:
- Payment Card Industry Data Security Standard
Determining which compliance regulations an organization must meet should help drive backup and data protection strategy.
Meeting different compliance requirements
One of the biggest challenges associated with unstructured data compliance is that not all of an organization's data is subject to the same rules.
The healthcare industry has numerous examples of this issue. Institutional social media content, medical notes, X-rays and recordings of patient therapy sessions are all examples of unstructured data. Structured data examples include weight and lab tests.
Many healthcare providers have file servers that contain a variety of different files. If any of those files contain personally identifiable protected health information, then those files unquestionably fall under the HIPAA data retention and protection requirements.
However, HIPAA does not apply to anonymized data. If a document contains medical data that has been stripped of personally identifiable information in a way that makes it impossible to trace the data back to specific patients, then the HIPAA requirements do not apply to that document.
Similar examples abound in the business realm. For example, HR departments have a mix of personal unstructured and structured data governed by various compliance requirements.
Organizations deal with varying retention and protection requirements in different ways. Some simply apply the same policies to all of their data, whether doing so is required for a particular file or not. This approach ensures nothing slips through the cracks.
Other organizations use a system of tagging as a way of determining the rules that apply to a given file. The idea is that when a user creates a file, they attach one or more tags to the file. Back-end software uses these tags to determine the file's lifecycle, its retention policy and how the file is to be backed up.
The biggest barrier to this approach is that many file servers do not natively support the use of tagging. An organization might need to invest in third-party software or migrate its unstructured data to another platform, such as Microsoft 365, Microsoft SharePoint or Komprise Intelligent Data Management.