Moving to the cloud is supposed to make data management easier, yet managing data retention in this new frontier can be more complicated and difficult than handling in-house. For that reason, companies need to find out what their options are and how the provider deals with records management. For instance, understanding how a provider applies multiple retention policies is key, as is their approach for purging certain data sets according to a mutually agreed upon schedule.
In some cases, such as dealing with a SaaS cloud service model, retention and destruction might be integrated into the offering. Many SaaS-based e-mail providers include policies for deleting e-mail after one year. In other cases, it's possible to manage data retention through the organisation's backup software. Regardless of approach, the customer needs to play an active role in setting both data retention and destruction policies while working closely to understand the legal ramifications and risks if these policies are violated, even inadvertently.
eDiscovery: Data preservation, collection and production
Cloud computing also can make searching, accessing, collecting and preserving electronically stored information (ESI) more laborious, complicated and risk-prone when compared to handling processes internally. In addressing this area, enterprise IT departments need to engage their legal counterparts for guidance and advice on how discovery in the cloud is different than storing boxes offsite at, say, Iron Mountain.
As with records management, the type of cloud service will impact the level of functionality. For example, if an organisation is leveraging the cloud simply as a storage repository, the likelihood of being able to search the data is greatly reduced. If the organisation is using a SaaS cloud service, however, there's a greater chance of being able to perform searches and content indexing to support discovery demands. In evaluating these capabilities, it's important to ask about the tools offered by the cloud provider. In some instances, the organisation will be able to use a combination of internal and external tools to facilitate data search and identification.
Another important question entails understanding the authenticity and admissibility of cloud-based data. When data is moved to the cloud, for example, does ownership of the data change and are an organisation's rights to the "clouded data" any different than if it was stored locally? Also, how is data authenticity evaluated and monitored? It's critical to maintain data in its original format, but sometimes moving to the cloud creates changes in metadata and file names. This can cause serious complications, especially if companies no longer have access to the same metadata as when the data was stored locally. If information is altered when moved to the cloud, companies should determine whether it's possible to audit the data to demonstrate that it's still available in its original format.
Sign up for CIO Asia eNewsletters.