In Georgia, throughout the past decade, the standards of cybersecurity and protection of personal data have significantly developed at the level of both legislative and practical implementation. The organizational-institutional framework has been established in both fields, knowledge of specialists working in these areas increased, appropriate strategic and legislative frameworks have been created, which, along with the regulation, should create favorable environmental conditions for cyber security and personal data protection development.

Although cybersecurity and personal data protection standards have been developed, given the global challenges, the dynamics of cybersecurity and protection of personal data, there are still many challenges in these areas, in both private and public structures. A clear example to illustrate this is the report on the activities of the State Inspector's Service 2020, according to which breaches related to data security measures increased by 10% compared to 2019.

Georgia, which is a country with European legal culture and is in the process of European integration, should continue to intensify its efforts to harmonize domestic legislation with European regulatory standards. The introduction of European standards of cybersecurity and personal data protection will be another step forward for Georgia tointegrate into the European digital single market, while, in the course of personal data processing, the citizens of Georgia will be provided with a high standard of security in cyberspace and mechanisms for effective and efficient protection of human rights and freedoms, including the privacy.

Recommendations

- The Georgian law on Information Security should clearly stipulate the avenues of cooperation between competent cybersecurity authorities and the State Inspectors' Service in matters related to personal data protection, including personal data security breach or/and a cyber incident. The protocol and legal procedure for the exchange of information should be established. Strengthening competent authorities with so-called tabletop exercises and relevant training courses is crucial for proper planning of the notification process with regard to the personal data breach related to the incident.

- The Georgian Law on Information Security should have precise and definite rules/criteria for determining critical information systems subjects, which may be supplemented by sectoral characteristics. More clarity at the legislative level will leave authorities with less space for subjective discretion and give sectors greater opportunities for sustainability and foresight. Many EU countries, including Estonia, have a well-established practice of determining critical sectors at a legislative level.

- The Georgian legal system (The Georgian law on Information Security or the Law of Georgia on Personal Data Protection) should list specific organizational and technical measures, their purpose (e.g., ensuring integrity, accessibility, and confidentiality of the data), or determine precise requirements (e.g., using certified systems, developing internal data protection policy documents - internal rules), the introduction of which ensures the security of personal data.

- It is crucial to carry out an in-depth analysis of whether the Georgian Law on Information Security, in terms of data security in cyberspace, complies with the requirements of the Georgian law on Personal Data Protection, and based on the analysis, at least for critical information systems subjects, it will be clearly identified what standards should be followed to ensure the security of personal data in cyberspace. In particular, whether the introduction of ISO 27001, the minimum information security requirements, and the cybersecurity services are sufficient for protecting personal data in cyberspace.

- Since the Georgian Laws on Personal Data Protection and Information Security, despite the differences in their objectives and area of application, have significant legal and practical overlap in terms of the protection of personal data in cyberspace, it is advisable to bring the activities of the competent bodies in these areas closer, cooperate more intensively, and take measures in a coordinated manner. At the initial stage, the central areas for cooperation are: directing specific areas of auditing in a coordinated manner, givinginformation security and cybersecurity specialists and personal data protection staff training on overarching issues, raising their knowledge, and exchanging information.

Ensuring Personal Data Protection in Cyberspace: Challenges and Needs of Georgia

/public/upload/Analysis/Personal-data-and-cybersecurity - final pdf.pdf