Data sovereignty is one of the biggest challenges businesses face today. It can be considered to be the new currency of the business and a well understood norm from the top management, who already recognized data sovereignty as a strategic operation. They don’t see it as a tactical issue any longer. Technology is evolving faster, providing more sophisticated products and services for protecting sensitive data. However, we cannot address the data sovereignty challenge without considering its main cornerstone: people.
Are people the primary barrier to achieving data sovereignty?
When reading about major incidents concerning data leaks, we almost automatically suspect the leak to be caused by cybercriminals based outside of the organization. However, the sad truth is that most of them are caused by human errors, as many as 66%, according to the Dutch Data Protection Authority.
Recently, the Australian government admitted that they are more fearful of human errors than cybercriminals. Mistakes were the primary cause for 74% of the data breaches reported by government agencies in 2021, while the percentage was more than 30% for other sectors.
According to the European Union Council, non-malicious threats are a significant part of the list of top cyberthreats in the EU, most of which result from human errors. If these numbers are not alarming enough, consider the GDPR fines issued in 2021: Amazon – €746 million, WhatsApp – €225 million, Notebooksbilliger.de – €10.4 million.
There are certain patterns of human errors which lead to these situations. Many employees use public Wi-Fi networks for sensitive business operations or use their personal smartphones for work-related activities — often with minimal security on the device. Other real-life examples include sharing their corporate device with family and friends, having weak passwords and even using the same password after a breach. In its 2020 Data Breach Investigations Report, Verizon asserted that misconfiguration is among the top causes of data breaches. There are many more examples and the gravity of the situation is clear.
of data breaches were primarly caused by human errors
Rather than merely blaming employees, it is essential to start improving the overall culture of data protection and develop better processes to secure business data. Data sovereignty is largely dependent on the organization’s culture. Recognizing the challenge from the highest management level and understanding that data protection is part of the organizational vision and responsibilities will help create a strong culture among employees — who remain the first and weakest level of defense.
Logically, the policies and process that will follow are the second step, but how do we ensure that they are the right ones? Strong processes and more advanced technology for user authentication, locking devices, and security configuration guidelines could avoid many of the issues mentioned above.
Building data sovereignty consciousness at every level
Compliance with local data privacy laws is not the only reason for doing so; the business scope must also be taken into consideration. Effective data classification is a must. Knowing where the critical data is stored and who has access to it provides good visibility so processes and controls can be applied according to the different data classifications. Companies can focus investments and effort to mitigate the risk for the sensitive data, rather than wasting resources on low-risk areas.
Employees who process and access sensitive data will be approached differently. Data privacy training for employees should be a natural process, but not every employee will be trained in the same way. There should be mandatory training focused on best practices and requirements for all employees, to ensure that they understand the concept and consequences of data leakage. Different departments often handle their data without any clear guidance on how it should be done, so simple and understandable guidelines should be made available to employees. Managers should be included in the process and should take responsibility to ensure that their teams understand and comply with standard processes. Open discussions with the employees impacted by the processes and gathering their feedback is important for subsequent optimizations.
Adapting training to each department’s needs
Because the processes can make or break an initiative, the organization should employ trained professionals to create them and understand data sovereignty within the department. The skills of an organization’s data privacy and security specialists will differ based on the organization’s scope, but there are well recognized trainings and certifications available on the market.
Investing in the continuous education of your professionals will provide a return on the investment in the future. Some examples include the DPO Certification from the EU GDPR institute, the Data Protection Certification Course from the European Institute of Public Administration, and ISACA certifications like Certified Information Systems Control, Certified Information Security Manager, Certified Data Privacy Solutions Engineer and others. These can be complemented by technical training from vendors and cloud providers. Working with legal experts who specialize in local and global data privacy regulations is a non-negotiable requirement.
Working together to create inclusive digital sovereignty
In the 21st century, employees are constantly facing digital transformation, so the organization should take all necessary steps to make these processes easier for them. We must avoid at all costs a situation where the organization’s data privacy and security function is perceived to be pointing a finger at other departments and accusing them of mistakes. In fact, it should be quite the opposite. The data privacy professionals are there to support the other business units, and having the right professionals guiding the data governance is a key factor.
Closing the human gap in data sovereignty is undeniably a challenge — but not an impossible task. In doing so, the organization will address one of the biggest challenges for data sovereignty.
About the author
Global Cybersecurity Business Development Manager, Atos