What is meant by the terms “data protection” and “data security”? Are you aware of the differences? We will tell you one thing right from the start: “data protection” and “data security” do not mean the same thing, even though they have the common root “data”. Therefore, these terms should not be used synonymously. Why is that? Keep reading to find out.
Differences between data protection and data security
So what exactly are the differences between data protection and data security, even though they sound so similar? Unfortunately, there is no standard definition for the terms, and the differences cannot be derived from the words “data protection” and “data security” either.
We will first start with what is meant by “data protection” because this is also important for understanding data security because data security is a component of data protection.
What does “data protection” mean?
Explanation
Data protection is about protecting individuals whose personal data is processed, e.g. stored, by a company or local government. Personal data can be any information about a person that can directly or indirectly identify that person. Personal data includes names, addresses, occupations, education or account numbers, health data, political opinions or information about religious affiliation. In short, data protection focuses on individuals. Individuals should be protected by data protection legislation from having their personal data processed arbitrarily by companies or other institutions. Individuals should retain control over their data and not become “transparent individuals”.
Legal framework
In Germany, there are various legal regulations on data protection. Firstly, data protection is a fundamental right in Germany. This may sometimes not be generally known, as there is no fundamental right called “data protection”. However, data protection as the “right to informational self-determination” has been derived from the general right of personality, Article 2 (1) GG in conjunction with Article 1 (1) GG, since the 1983 census ruling. According to the “right to informational self-determination”, every person should in principle be able to decide for themselves whether to disclose their data and be aware of who processes their data, when and why. In Germany, however, when it comes to the concrete processing of personal data in everyday professional life, the GDPR and the BDSG are decisive (in addition, country-specific and/or area-specific regulations may still apply). Due to its regulatory nature, the GDPR generally takes precedence over the BDSG; however, the BDSG supplements the GDPR in certain areas where the GDPR does not contain any or no specific statements, e.g. in the area of employee data protection.
Key principles of data protection
To ensure that personal data is not processed arbitrarily by companies or other institutions, the GDPR regulates “whether” and “how” the data is to be processed. The decisive factor is that personal data may only be processed (“whether”) if a legal basis permits this or if the persons whose data are processed have given their consent, Art. 6 (1) GDPR, so-called “prohibition with reservation of consent”. In addition, the GDPR lays down certain principles on “how” personal data is to be processed, Art. 5 GDPR. For example, personal data may only be processed for purposes determined before the processing (e.g. fulfilment of a contract) and must be reduced to a minimum (e.g. no collection of personal data that are not necessary for the fulfilment of the contract). Furthermore, data processing must be transparent, meaning that individuals must be fully informed about the processing of their personal data so that they can understand or control the processing.
Summary
Data protection protects individuals from unlawful processing of their personal data. The legal regulations on data protection, particularly the GDPR, regulate “whether” and “how” personal data are processed.
What does “data security” mean?
Explanation
“Data security” is a sub-area of “IT security” in addition to “information security”. In contrast to data protection, data security focuses on the data itself and not on persons. It also focuses not only on personal data but on data in general, which therefore also includes, for example, operational data (balance sheets, source code) that have no personal reference. Data security aims to protect data from threats through technical and/or organisational measures. Threats can be, for example, hacking, theft, malware or human error.
Legal framework
Data security focuses on ensuring that technical and/or organisational measures are in place to protect data. There is no universally accepted law for any company with regard to data security. However, the GDPR stipulates in Art. 32 that technical and/or organisational measures must be used to protect personal data; Art. 32 of the GDPR also lists exemplary measures, such as encryption or pseudonymisation.
However, for critical infrastructures, or “CRITIS” for short, such as for the healthcare, finance, food or energy sectors, there are special legal regulations regarding information security in general. The Information Security Act applies to the CRITIS. The law aims to ensure that the information technology systems of the CRITIS are made secure. In addition, companies or other institutions can be certified according to certain standards, e.g. ISO 27001 or BSI IT-Grundschutz. These standards contain certain regulations on how information security can be implemented theoretically and practically in a company or other institutions through technical and/or organisational measures.
Main protection goals of data security
The goal of data security is to ensure that data is protected at all times. Data security exists, among other things, when the three essential protection goals of “confidentiality”, “availability” and “integrity” are guaranteed or not compromised. Confidentiality is ensured when only authorised persons have access to the data; availability when the data is available to authorised persons at all times; integrity when the data is correct and complete.
Summary
Data security protects data of any kind against loss, manipulation and other threats and can be achieved in particular by technical and/or organisational measures.
Conclusion
It is important to note that although data protection and data security are not identical, data protection can also only be ensured through data security. After all, it is of no use if the personal data is processed lawfully but is not sufficiently protected from threats technically and/or organisationally.
