What is Data Protection?
Data protection has regained more space in the public discussion thanks to the European General Data Protection Regulation. Data protection is primarily about regulating the appropriate handling of personal data. Several generations of laws, specifications and regulations at national and international level have established certain basic concepts that describe various aspects of this task. Specifically, this is about
- protection of the right to informational self-determination,
- protection of personal rights in data processing,
- protection of privacy,
- Protection against improper data processing.
What is Data Security?
Data security has overlaps but also clear differences with data protection. Nowadays, the main technical goal of data security is to adequately protect data of any kind against loss, manipulation, unauthorized access by third parties and other threats. Data security can be achieved by suitable technical and organizational means (“TOMs”), which have already been defined in the data protection environment, and vice versa. Like information security and other related disciplines, the protection goals of data security include confidentiality, integrity and availability. In general, the operative fields of activity are largely drawn from the same laws, ordinances and guidelines. In the area of data security, there is a greater focus on the entirety of company-sensitive and critical data that serve as a basis for making decisions. Data security incidents – in the sense of unintentionally manipulated or leaked data – are therefore less to be found in a legal penalty dimension, but rather with the weakening of the company’s own decision-making authority through an incorrect database and/or information outflow to the competition (in the sense of industrial espionage), in the market (above all in terms of image loss) or to governmental bodies. Data security also needs to be distinguished from data security, which tends to be assigned to the area of availability and disaster prevention.
Difference between privacy and data security
Data protection focuses primarily on personal data itself: what rights individuals have (request for information, request for deletion, etc.), what obligations organizations have (collection, processing, active deletion, etc.).
Figure 1: Data protection vs. data security
Data security, on the other hand, focuses primarily on the correctness and integrity of personal and business-critical data that serve as the basis for business decisions. Data security thus covers large areas of the technical implementation of data protection but goes beyond purely personal data in the data objects considered. Adequate data security is a central requirement for effective data protection. What both have in common, however, is the requirement to handle data appropriately to maintain the similar but differently valued protection goals of both disciplines.
Rules on data protection and data security
In most cases, you can’t have one without the other. Data protection and data security are almost inextricably linked and are not only based on the same legal requirements. Data protection defines the following basic rules, especially for data collection and processing:
- Direct collection: Data may only be collected directly from the person involved.
- Consent to data collection: This must actively consent to data collection.
- Purpose limitation: the respective purpose of use must be clearly stated in the consent
- Data avoidance and data economy: any data NOT necessary for the purpose of use must NOT be collected and stored
- Rights of data subjects: Since the GDPR came into force, every individual also has significantly more comprehensive rights in relation to their data collected by an organization.
Data protection and data security in the legal books
The basis for data protection and data security are above all the following (German) laws, which are to be consulted for the definition and handling of data objects worthy of protection and the associated processes:
Implementation of data protection and data security
As a management and process competence, the Information Security Management System (ISMS) for the implementation of data protection and data security is at the top of the list of priorities, and in many companies, it is based on common ISO standards. Also included is the definition of clear roles and responsibilities as well as the mapping of all objects and processes that have historically developed around data worthy of protection or that are to be updated within the framework of corresponding project activities. This includes:
- Structure of the ISMS mentioned with feedback mechanisms and continuous improvement
- Appointment of internal or external data protection officers with a clear role description
- Planning, implementation, and documentation of internal and external audits
- Process, application, and data models, with a focus on personal and other critical data
- Processes and tools for manual and automated test routines,
- Raising employee awareness through training and information
- technical protective measures of any kind to harden or react to internal and external, provoked, but also to unwanted incidents,
- Development of availability and disaster recovery technologies,
- Data reduction, data anonymization, data masking,
- Regular tests including documentation of relevant incident scenarios
Also, read more on related topics
Your contact at Firnkorn & Stortz on the subject of data protection and data security
Firnkorn + Stortz GmbH