20 million EUR question: How to ensure data protection?
In May, there was an increasing attention on cybersecurity. Firstly, the WannaCry ransomware that crippled the British medical system, which, however, left Estonia relatively untouched. Barely a week later, at Garage48 [an Estonian hackathon] a group of participants discovered that a wealth of citizens’ personal data is freely accessible. These events are just the tip of the iceberg. In recent years, there have been an enormous number of data leakages: every day more than 4 million data files are lost or stolen. For example, in 2016, Mexico discovered that the data concerning 93 million of their voters was as well freely accessible online.
In Postimees [a leading Estonian newspaper], Veiko Berendsen wrote that the government should put more emphasis on redesigning the legal framework surrounding data protection. However, the government has already made steps in that direction. For example, in the last two months, ministries have sent for consultation the new concept for data protection and the intention document regarding a new cybersecurity law. Both of these are based on developments in EU policy-making.
One of those changes is the General Data Protection Regulation. This is one of the most drastic changes in data protection. Firstly, because of the new rules that it imposes. But also because it is designed to be applied across the world for all organisations processing the data of EU citizens. Furthermore, the Regulation foresees that in the case of violations a fine of up to €20 million or 4% of revenue can be applied.
What should an organisation do to avoid a €20 million fine? More importantly, what should government institutions do in order to protect the data of citizens and the wider data related to the state?
Although the Regulation contains many detailed measures, it is important to recognise that as a whole the EU relies on principles- and objectives-based regulation. This means that the EU has not prescribed specific technologies but has left the exact application up to the organisations. This allows them to find the most optimal solution. In the following I will provide several strategic steps to be taken to comply with the Regulation.
Firstly: appointment of a data protection official. This is not a mere recommendation. Public sector bodies are obliged to appoint an official, and also private sector companies who process data as a central economic activity. The appointment of the DPO helps to ensure sufficient attention and independence to data protection.
Secondly: mapping the organisation’s data. It is necessary to identify and categories the data processed in the organisation. A crucial part of this is to identify sensitive information. This helps to prioritise data protection strategy while taking into account the needs of data processing and the availability of resources.
Thirdly: testing and assessing of the database. This gives an overview of the strengths and weaknesses of the database.
Fourthly: risk mitigation and budgeting. This includes analysing access rights (incl. physical access). Planning risk mitigation and related budgeting also requires a balance between understanding the needs of the organisation for data processing and, on the other hand, for data protection – more data processing can be useful but this creates additional risks.
Fifthly: development projects. Naturally, the strengthening of databases needs additional security measures. Potential solutions include pseudonymisation, anonymity and encryption.
Lastly: constant monitoring. WannaCry clearly showed the need for modern and up-to-date solutions. Therefore, it is necessary to have in place constant monitoring and reporting which can be used later to plan additional protection measures.
Those six steps are rather broad and complex but there is a need to start with the changes already tody. Veritas Technologies research found that most of the organisations have not made any preparations for the GDPR. However, around 86% agreed that achieving compliance is a crucial goal. Global technology firms have made substantial investments in full-service database solutions motivated by the recent changes in regulation. For example, Oracle opened recently the Oracle Cloud EU Region in Germany which is exactly designed based on the requirements of the new regulations.
The reputation of Estonia as an e-country has been for a long time more than marketing hype. This needs to be supported by an effective regulatory framework and increased attention on the concerns of data protection that have tended to be ignored alongside the ever-increasing amount of data.