Our partner Jukka Lång had an insightful breakfast with one of the indisputably best experts in data security matters in Finland, Mr Jarno Limnéll. They both agreed that in the rapidly evolving cyber security landscape, regulating or preventing yesterday’s threats is not worth the effort. One must think ahead.
The Growing Interest in Data Protection and Security
The general interest in data security and data protection has rapidly increased. Both the technical capabilities and regulatory requirements have increased, and so has the general public’s interest.
Data security and personal data protection go hand in hand, as Mr Limnéll pointed out. For many, these two mean the same thing, but from both the practical and legal perspective, there is a difference between these concepts. In practice, data security covers the methods used for protecting the data from illegitimate access. Data protection, on the other hand, means defining how personal data may be accessed lawfully and by who.
Both Lång and Limnéll see that the general interest in data protection and data security is continually increasing. This development is surely fuelled by the clearer picture on the cyber security landscape we are going to have next spring. Previously, many of the cyber security incidents stayed under the radar. The knowledge on cyber security and the level of data protection will increase next spring, when the GDPR, with the notification obligations, enters into effect. The GDPR obligates companies that process personal data to inform the authorities and, in some cases, customers within 72 hours of becoming aware of a data breach. Already sending marketing material to recipients in the “Cc” field revealing all the emails or a ransomware attack could trigger the notification obligation. This will have an effect on companies’ obligations, but also bring many issues that could currently be kept secret into public knowledge.
Legal Data Security Requirements are Fragmented but Share a Uniform Approach
Every day, more and more data is being stored, and that data must be protected. Data protection – and data security to some extent – is somewhat strictly regulated. In the fall of 2016, D&I assisted the Ministry of Transport and Communications in the preliminary preparation of the national implementation of the NIS directive, which will boost the level of cybersecurity in the EU and have an effect especially on the most essential sectors, such as electricity and transportation. We assessed and analysed what types of data security, risk management and other security obligations are set forth in the Finnish law, EU-law and treaties currently applicable to the sectors covered by the directive. What we found, amongst other things, is that the security and risk management obligations fragmented and spread across our legislation. For example, if you are in the finance sector and your data assets are attacked, you may need to inform several authorities, while minimising the damages and be able to prove that you did your best to protect the data. To be able to comply with the relevant requirements, you need to know which requirements you are subject to.
“The strategic-level and legal assessment of data security from the risk based approach gives the possibility to make more informed decisions”
However fragmented, the different data security-related legal requirements share the similar “risk-based approach”, which is especially introduced in the GDPR. This should also be the approach taken by those assessing the requirements and ensuring that agreements, systems and procedures are compliant and contain minimised risks. The strategic-level and legal assessment of data security from the risk based approach gives the possibility to make more informed decisions – and for the individuals to speak a similar language whether they are lawyers, security professionals or management only starting to understand the field of security.
Securing and Protecting the Most Valuable Assets
Whether you define your data assets as the oil or the air, the data flows circulate around every key element of your business, including running machines, HR and CRM. Both Jukka and Mr Limnéll have seen that Finnish companies are increasingly interested in personal data protection and cyber security-related issues and have been advising large Finnish companies, and their top management, in these issues. There are many reasons for that, including the role of the ubiquitous data in the business and the resulting wider PR and regulatory risks, not least because of the high sanctions under the GDPR.
“Cyber security is no longer only IT’s or security consultants’ problem, but rather a matter that concerns the company’s core business”
One of the key aspects in this regard is that cyber security is no longer only IT’s or security consultants’ problem, but rather a matter that concerns the company’s core business. This is nowadays the case regardless of whether the company is a retailer in the consumer business or a metal factory far from data driven business (needless to say, however, many of the factories are also experimenting with the opportunities provided by data driven business models). Data security and data protection are so closely linked to the core business and corporate governance that it is necessary for the management to be informed and to then make the key decisions regarding these matters.