Information Security vs Data Protection
Is this an issue for our ISO or our DPO, or is it much the same in either case? Who exactly is responsible for this incident, and is there a need to report it at all? In order to discuss the similarities and differences between information security and data protection, the first step is to define the two areas.
European data protection law principally only protects natural persons and is intended to protect against the unauthorised processing of personal data. This goes back to the right of informational self-determination, which has been protected even more strongly since the introduction of the General Data Protection Regulation and surrounding legislation. As a result, it can be said that the processing of personal data is fundamentally prohibited unless the processing is permitted by legal regulations or consent.
On the other hand, information security is comparable to the annexe of our order processing agreements, the TOMs, namely the technical and organisational measures to protect data. Information security is concerned with the protection of various protection goals, such as:
- Confidentiality,
- Integrity,
- Availability.
In order to meet the stringent requirements of various laws and data protection, companies must implement the most robust technical and organisational measures to prevent data protection breaches and cyberattacks.
The differences lie in the motivation
While the implementation of data protection measures mostly follows legal requirements, the implementation of information security in companies is not as strongly regulated. There are various standards and specifications, but there is no obligation in information security, such as the obligation under data protection laws to appoint a representative above a certain size. Thus, the differences lie in the motivation. While information security should be implemented out of the self-interest of all companies, the implementation of data protection requirements is regulated by law and, at least in the private sector, secured by sanction measures.
Conflicts between the two areas
Conflicts can arise, especially when considering the storage of personal data. For example, this conflict arises when we store backups of our clients’ databases to ensure the protection goal of availability. In doing so, however, we are potentially acting against data protection principles. What actually happens if a customer submits a data subject request and we have to delete all personal data? A challenging case in practice is the clean-up of backup generations for precisely these data subject requests. From a security point of view, we want to keep the backups in case of an emergency; from a data protection point of view, we have to delete parts of the data and fulfil our obligations towards data subjects. Another example is log files. By monitoring connection logs, we can check which users have taken which action. This way, we ensure the integrity and can prove when something goes wrong. From a data protection point of view, however, the storage of data is prohibited for the time being unless we receive consent or there is a legal basis.
In summary, it can be said that data protection and information security are topics that should be considered holistically. However, there is potential for conflict due to the different objectives of these areas. We at Increase Your Skills have made it our task to educate people in both areas in the best possible way and thus ensure an effective level of security and also data protection.