Before talking about its impact, it makes sense to first define what is meant by the term “regulatory compliance.” There are two components: regulatory and compliance.
Regulatory refers to regulations, which are governmental, and business rules and laws. Regulations may exist for specific industries, countries, jurisdictions, and practices.
Compliance refers to following the directives of the regulations as they apply to your business operations.
Therefore, you can simply think of regulatory compliance as following the law. But it can be difficult to understand the morass of regulations and determine which specific requirements apply to your industry and type of business.
Nevertheless, it cannot be denied that as regulations expand, organizations need to deploy better controls to ensure quality data and properly protected database systems. Sarbanes-Oxley, HIPAA, PCI DSS, GDPR, and more make the news, and organizations are tasked with ensuring that they comply with these regulations.
Business executives are aware of the need to comply, although they are not always aware of all the complexities involved. But the entire organization needs to be involved to ensure success.
Ensuring compliance requires a collaborative effort between business users, IT, and your legal department. This can prove to be a challenge because these three disparate groups are quite distinct and rarely communicate collectively. IT talks to legal only when it has to—and that is usually just to get approval on contract language for a software purchase. IT and business communicate regularly (at least they should), but perhaps not as effectively as they might. But all three are required:
- Business: Must understand the legal requirements imposed on their data and systems as dictated in regulations
- Legal: Must be involved to interpret the legal language of the regulations and ensure that the business is taking proper steps to protect itself
- IT: Must be involved to implement the policies and procedures to enact the technology to support the regulatory mandates; when data is involved, the DBA frequently needs to participate
Organizations need to map and categorize their business data in accordance with how each data element is impacted by regulations.
They need to be able to answer these types of questions: Which data elements are under the control of which regulation? And what does the regulation require in the way we manage that data?
Once mapped, controls and policies need to be enacted that enforce compliance with the pertinent regulations. This can require better protection and security, enforce longer data retention periods, impose stricter privacy sanctions, mandate improved data quality practices, enact stricter data access policies, and so on.
Compliance starts with the CEO, but it works its way down into the trenches and impacts database administration. The CEO relies on the CIO to ensure that IT processes are compliant; the CIO relies on the IT managers, one of whom (the DBA manager) controls the database systems; and the DBA manager relies on DBAs to ensure that data is protected and controlled.
The impact of regulatory compliance upon database administration varies. The DBA is not responsible for developing and enforcing compliance, but their job is impacted based upon compliance-related projects and responsibilities. The primary impact of compliance on the DBA is in investigating, installing, and managing the technology that supports compliance, particularly regarding data and the DBMS.
Compliance-related tasks that impact database administration include the following:
- Metadata management, data quality, and data governance
- Database and data access auditing
- Data masking and obfuscation
- Long-term data retention and database archiving
- Closer tracking of traditional DBA tasks (e.g., change management, backup and recovery)
All IT professionals, and certainly DBAs, need to understand the concept of personally identifiable information, or PII. Managing PII is a common requirement of both governmental and industry regulations. But what is it?
PII is information that can be used to uniquely identify, contact, or locate a person. Additionally, PII is data that can be used with other sources to infer the identity of an individual. Many regulations stipulate the way PII must be handled and protected.
From a DBA perspective, policies enacted to protect PII frequently require additional tactics and methods to be enacted, including many in the list above.
The Bottom Line
Regulatory compliance introduces new and improved data management practices, but also places renewed emphasis on many traditional data management tasks while also expanding the meaning of some of them. Backup and recovery, metadata management, and change management require additional focus, whereas features such as database auditing and database archiving may be required for the first time. This causes additional workload for DBAs and data management professionals.
Fortunately, now that high-level corporate executives must vouch for the accuracy of company data, tools that can help to assure data accuracy and integrity are no longer considered a luxury but may be required to avoid prosecution. And better data management is music to the ears of DBAs everywhere.