December 5, 2016

Living in the Age of Data and GDPR

with Oleg Shvaikovsky
Living in the Age of Data and the GDPR

The immense advancement of technology and the massive movement of data accompanying it have brought along a need for superpower nations to control all of this data on the one hand, while on the other hand, the availability of data has made people’s lives as transparent as they were during the Stone Age.

“Millennia ago, we lived in closed, small societies where everyone knew everything about everyone else. You had to live an honest life, because everything was transparent,” Oleg Shvaikovsky, Member of the Board of the tech company Nortal, told Postimees.

Oleg Shvaikovsky was one of the speakers at the high-level economic security conference that took place in Tallinn November 30, 2016 , with other participants including the Director General of the Estonian Security Board Mikk Marran, Deputy Director of the Estonian Internal Security Service Erik Heldna, and Director of the NATO Cyber Defence Centre Sven Sakkov.

One can say that we’re living in the Age of Data, where data is the chief asset of a company. However, as data becomes more valuable, more widespread and more available, the need for regulations also increases – as people give out more data about themselves, they increasingly need the right to be forgotten, for instance.

This is one of the points stipulated in GDPR (the General Data Protection Regulation) – , the toughest and unprecedented data protection regulation, that will be applied in full to all Member States from May 2018.

For instance, if a person is a customer of a telecom company today and wants to become the customer of another one tomorrow; should they ask the service provider to delete all of the data they have on him or her – according to the new system, it must be done.

“No-one can count on keeping their customer data forever – you will always have to ask a person’s permission to collect data about them,” Lauri Ilison, Head of Big Data and Machine Learning at Nortal pointed out.

And all of the Chinese, Russian or Turkish webstores, for instance, that citizens of the EU can buy things from will have to comply with the General Data Protection Regulation if they wish to avoid being blocked. The requirement will not only apply to EU companies but also to all of the organisations that handle the data of the citizens of EU Member States. This is a huge change in global business and in data protection, with impacts extending beyond the EU.


Another important subject of the new regulation concerns data leakage
– companies will have to start identifying and preventing leakages themselves. And the fines are huge – 20 Million Euros per case, or up to 4% of the group’s annual turnover if the company wasn’t able to identify the leakage.

Data can leak outside in or inside out. Although this may seem improbable, the majority of data leakage doesn’t come from external attacks but rather from human curiosity towards the contents of the information systems, and the desire to share these findings with one’s friends and relations. Sudden changes and deviating from usual information retrieval patterns may indicate possible threats of inside out data leakages and soon every company will have to start detecting these type of changes in the usual behavior pattern. Law enforcement agencies, for instance, have had this capability of monitoring their own workers for years.

“As we know, data is one of the keys for creating value – an asset that companies use to make money. The more relationships a company is able to build from the data and the better it understands the data, the more successful the company is. How we should store, process, and collect data and what rights a person should have to influence these processes – this is now regulated with a directly applicable EU regulation,” Member of the Board and head of the TIME business area in Nortal, Oleg Shvaikovsky pointed out.
Shaikovsky says that all of this will be very hard to put into practice – it is not possible, after all, to start cutting out portions of a person’s transactions from within all the transactions of any given day – as any report on the transactions of the day will become meaningless.

“There are a lot of dilemmas and contradictions. I dare say that even the banks and telecoms that have the highest data security levels lack a unified and integrated data map, that gives them exact detailed overview as to what piece of data is located precisely where,” Shaikovsky suggested.

According to Lauri Ilison, the provision of digital services as a whole will become a lot more complicated, as the new regulation will concern all data that can somehow be connected to a specific person. Thus, for instance, testing Big Data information systems will become more complicated.

Estonia and Germany, however, are lucky enough to have data protection regulations in place already and now all that is needed is a bit of tweaking.


Nortal is building a solution
in the field of data protection and Big Data that will help IT meet the legal regulations and vice versa.

“Basically, we go through the entire information system of our customer, we identify every last bit of data in their systems and we create an extremely detailed map showing all of the interconnections,” Shaikovsky explained. “And we also make it possible to renew, audit and test information systems to make sure all of the data protection regulations have been met.”

“We have been seriously working in this area for the last year and a half. We have come up with a standard solution that will enable companies to comply with the regulations relatively easily,” Lauri Ilison said.
The new EU General Data Protection Regulation, just like competition regulation, stipulates administrative penalties – up to 20 Million Euros or up to 4% of the group’s last year’s turnover. According to the Estonian Data Protection Inspectorate, these penalty rates are only suitable for vast global corporations in mind and are not suitable for penalising natural persons or smaller enterprises.

* Interview was published November 29, 2016 in Postimees online