Since when should effective data management and regulatory compliance be mutually exclusive?
If you have not yet taken Google Apps for your Domain out for a test drive, c|net's Rafe Needleman has an introductory video and review available: Google wants to get inside your small business. Like many who have examined this dipping of the G-toe into business data management, Rafe thinks "this is a very early, very 1.0, small business suite." And so it may be, at this juncture. But I wouldn't be surprised if Google is thinking much bigger, and likewise won't be surprised if in the not too distant future large businesses (even publicly traded ones and financial services ones, which are subject to the 1-2 punch of Sarbanes-Oxley and the Investment Advisors Act) embrace this kind of approach to data management — and especially something as effective at search, retrieval, and archiving as Gmail — as more desirable and efficient, in both function and cost, than the compliance strategies in use today.
I have seen a good deal of skepticism about the ability of a non-tailored, Web-based approach to succeed in The Enterprise ("She's breaking up!"), given the fact that the current attitude toward good regulatory hygiene involves having direct (or at minimum contractual) control over the boxes where the data resides. See, e.g., many of the comments to Mike Arrington's Google Makes Its Move: Office 2.0, and Steve Bryant, Five Reasons You'll Use Google Office (and 5 Reasons You Won't). But I think the skeptics may be focusing on the legacy/incumbent processes of compliance at the expense of its aims. Regulatory recordkeeping and reporting requirements concerning internal, non-customer data exist to ensure accountability, and the best way to ensure accountability is to ensure the relevant information will persist and can be called up and organized at will. I would think that hosting this sort of data with someone in the data persistence business, coupled with uncannily good search, should be at least the beginnings of a good compliance policy.
Some very achievable forward movement on two fronts would complete the picture. Google and its would-be competitors will need to address the concerns of folks like H&R Block's CIO Marc West, who already acknowledges (as he told CIO magazine back in May), that "many of Google's consumer products are better and easier to use than their enterprise counterparts," and that his company would probably embrace Gmail internally "if Gmail was able to address the archiving, monitoring and reporting requirements that the Securities and Exchange Commission has for financial services companies." Gmail is nothing if not a continually evolving work in process. Would you be terribly surprised to see this kind of functionality rolled out alongside a future GTalk update? I wouldn't.
And to the extent the applicable regulations themselves may need to be updated to accommodate the ability of businesses to head in this direction, as Steve Gillmor recently pointed out that's certainly feasible as well.
[Updated September 6, 2006 @ 9:05 am:] Regarding the related data security concerns, which are of course very real, there was a time when people didn't trust banks with their money either. Today, while you may understand the motivations of someone who still feels it necessary to sock away their savings in a mattress, you recognize the security risk is actually much higher than if it was entrusted to a competent third party.