Enterprise IT compliance needs are constantly evolving. New regulations pass every year, and internal policies change. Disruptive new technology trends, such as generative AI, create additional concerns and requirements. The risk of fines, legal exposure, or breaches from unmanaged unstructured data is massive and growing, and all hands across IT and the business need to help reduce the risks.
This article focuses on the impact of compliance on enterprise data storage teams dealing with massive volumes of growing unstructured data and how a strategic program for unstructured metadata management can intelligently assist by discovering and acting on files that are at risk of security and compliance violations.
Enterprise IT compliance for data storage requires understanding regulations (such as General Data Protection Regulation [GDPR] or HIPAA), implementing strong security measures (encryption, access controls), managing data lifecycles (retention, disposal), maintaining audit trails, and ensuring data residency. Steps include data inventory, risk assessments, clear policies, employee training, and regular audits to demonstrate adherence to standards such as ISO 27001 and System and Organization Controls (SOC) 2.
There are several trends making IT compliance more complex right now:
- States are passing more privacy bills, with 20 passed and five more in committee as of July 2025. The European Union (EU)’s GDPR requirements are considerable for companies with European operations or customers.
- Updates to major standards, including Payment Card Industry Data Security Standard (PCI DSS) 4.0 and the SOC 2 framework, are introducing enhanced authentication requirements as well as a stronger focus on risk management and cloud privacy.
- Sustainability remains a force in the global economy, with the EU Corporate Sustainability Reporting Directive (CSRD) leading the way for mandated reporting on ESG performance.
- The EU’s AI Act is known as the gold standard, while other countries and regions are enacting their own versions of controls around AI systems and data use.
- Industry-specific regulations such as HIPAA in healthcare place robust data security, access, audits, and monitoring burdens on IT.
While most large organizations have compliance departments that work in concert with cybersecurity, analytics and data warehouse teams, along with data storage teams, also have an instrumental role to play. Their ability to discover, enrich, and leverage file metadata can help identify regulated and protected datasets that are being stored and shared outside of compliance rules.
How Unstructured Metadata Management Supports IT Compliance
Storage system-generated file metadata provides useful context and detail about unstructured data, which can help track data lineage, data owners, usage, and access, and demonstrate adherence to regulations such as GDPR and HIPAA. This “data about data” acts as a foundational layer for data governance. By enriching metadata with additional tags describing file content, IT can locate this kind of sensitive data such which might have been inadvertently moved to noncompliant locations or copied and stored insecurely:
- Personally identifiable information (PII) and protected health information (PHI) data
- Internal proprietary data such as intellectual property
- Confidential customer documents such as contracts, invoices, and payment information
- Sensitive project data
- R&D files
- Hidden sensitive data within other documents, such as shared meeting notes and transcripts
- Legal hold and surveillance data
Managing data security is crucial, especially in the age of AI, where unstructured data fuels AI. Once an organization queries, tags, and classifies datasets for security and compliance keywords, users can manage data to support compliance and governance activities as discussed below.
Data Lineage
Metadata tracks the date of creation, movement, and modifications to data, which helps demonstrate how sensitive information has been handled to meet regulatory requirements. For example, a file tiered from on-prem storage to the cloud may still be accessible from the original location, but its data lineage should show that it is now stored in the cloud. This is especially important to track if the data is then fed to AI.
Policy Compliance
By identifying data owners, access rules, and usage guidelines through metadata, companies can ensure that sensitive information is protected and used only as authorized. Metadata monitoring is also important in order to implement policy-based retention and deletion policies based on the age of the data and its file type. In healthcare, for instance, some medical images must be retained longer than others, depending upon the disease category and/or demographic.
Auditing
A comprehensive unstructured data catalog that indexes data across storage can report on data movement and usage to regulators, such as laws for data collection and processing under GDPR or to track data governance for AI. It can also identify ex-employee data and duplicate data that can be purged to reduce that attack surface and deliver one version of the truth.