New era in data protection: Are we ready?

by Risto Hübner, Nortal's Chief Legal Officer

It is an indisputable fact that data is the new “black gold” and hard currency of the digital era. In one year, a new General Data Protection Regulation will become applicable.

This is an updated EU-wide data protection legislation introducing substantial changes that directly affect all companies and authorities. One year before the new regulation becomes applicable it is appropriate to ask: Are we ready?

Last weekend, the largest hackathon in the Baltic countries, Baltic Open & Big Data 2017, was held in Tallinn; one of the teams participating in the hackathon, PSII, created a technical solution that scans and identifies personal data from public registers.

In the course of analyzing different public document registers and more than 10,000 documents, the team was able to identify both ordinary personal data (such as names and personal identification codes of individuals) and sensitive personal data.

Due to the sensitive nature of the data, the team disabled the prototype scanner and contacted the Data Protection Inspectorate in order to map the situation and find a solution to help the authorities to remove such data.

Project PSII is not alone. Rather, the existence of such problem is more widespread than many might imagine – and there is ample evidence of this from both private and public sectors. Just think about your company or organization. Do you know exactly how many Excel spreadsheets include customer’s personal data? Where can you find those spreadsheets? Are they only stored in dedicated information systems, on computer hard disks, or in a file sharing environment, such as Dropbox, Google Drive, or in a public e-mail service or some other facility?

One of the biggest concerns in relation to achieving compliance with the new regulation is not the technical solutions, but lack of awareness. People are simply not aware of the issue and its scale. When advising companies and public sector customers about this area, we constantly see that the results of our analysis come as a surprise to the people responsible for data protection.

The first step should be raising awareness and mapping the situation. The objective is not to completely shut things down. Rather, companies should make the necessary corrections and amendments to their information systems and processes, as well as introducing internal “data hygiene” procedures. A situation where an organization has lost track of where its data is stored and how it is processed should be avoided. Each employee should be aware that any information  they are processing may contain personal data.

With just one year left to the implementation of the new data protection regulation, both private and public sectors must put serious effort into bringing the processing of personal data in line with existing legislation and the renewed and significantly more stringent regulation.

Over the next 12 months, it is necesary to train a sufficient number of data protection professionals and carry out extensive communication and awareness campaigns. According to some estimates, almost 30,000 new positions for data protection officers will have to be created in the EU.

It is also necesary to prepare for data transferability, carry out impact assessments on information systems, and ensure that the principles of data protection and privacy are observed. In just one year, everyone must be ready to prove and demonstrate compliance with the requirements of the new regulation.

Data processing practices, which have been relatively permissive so far, must be reviewed and reorganized. On the other hand, this will provide an opportunity to make companies more competitive by demonstrating that personal data is processed lawfully.

A version of this article was originally published in Äripäev.