About 90% to 99% of entities in Kazakhstan do not meet data protection legislation, according to Ivan Korshunov, chief information security officer (CISO) at Bereke Bank. Speaking at a roundtable titled «Cryptography and Personal Data: Best Practices and Promotion of Local Solutions,» he claimed it is simply impossible for the vast majority of Kazakhstani businesses to meet the requirements set by state agencies.
Korshunov noted that the country’s legislation mandates the use of cryptographic information protection facilities (CIPF) if a business stores or transfers personal data. However, the law doesn’t clearly define what those facilities are. Moreover, personal data is processed almost everywhere, including in schools and even residential buildings. For example, some apartment complexes use biometric authentication to enter the lobby.
«This requirement cannot be implemented by 90% to 99% of organizations in our country. It’s simply impossible to use CIPF in schools to encrypt databases. These tools are very expensive. The entire budget of a school isn’t enough to cover these costs, let alone a condominium,» Korshunov emphasized.
He pointed to the government’s eGov.kz portal as an example. The state-run site transmits Kazakhstanis’ personal data from its servers to mobile devices without using CIPF tools, encryption, or data decompression.
«There is no such thing. The government itself doesn’t comply with its own rules — because compliance is impossible for many entities,» the Bereke Bank CISO said, adding that only large organizations, banks and the state itself are in a position to do so.
He also noted the disconnect between written regulations and what the government actually expects from businesses when it comes to IT security — a gap that, he warned, creates fertile ground for corruption.
On March 5, 2024, media reported that Zaimer.kz, a microfinance organization, had leaked the personal data of two million clients. On March 11, the Digital Ministry said it had informed affected users about potential risks and shared safety recommendations. In early April, the company was fined $7,245.
