Read in this article:

What is Data Protection?

Data protection has regained more space in the public discussion thanks to the European General Data Protection Regulation. Data protection is primarily about regulating the appropriate handling of personal data. Several generations of laws, specifications and regulations at national and international level have established certain basic concepts that describe various aspects of this task. Specifically, this is about
  • protection of the right to informational self-determination,
  • protection of personal rights in data processing,
  • protection of privacy,
  • Protection against improper data processing.
Ultimately, these are different perspectives on THE central goal: the right of the individual to decide who should have access to which of their personal data and when, in order to be better able to protect themselves against operational, state or other surveillance and profiling. Data protection: a single person decides (often with a click or signature) whether, and if so which, of their data is passed on to a requesting organization, what it may be used for, and is given the right to information, deletion, etc.

What is Data Security?

Data security has overlaps but also clear differences with data protection. Nowadays, the main technical goal of data security is to adequately protect data of any kind against loss, manipulation, unauthorized access by third parties and other threats. Data security can be achieved by suitable technical and organizational means (“TOMs”), which have already been defined in the data protection environment, and vice versa. Like information security and other related disciplines, the protection goals of data security include confidentiality, integrity and availability. In general, the operative fields of activity are largely drawn from the same laws, ordinances and guidelines. In the area of ​​data security, there is a greater focus on the entirety of company-sensitive and critical data that serve as a basis for making decisions. Data security incidents – in the sense of unintentionally manipulated or leaked data – are therefore less to be found in a legal penalty dimension, but rather with the weakening of the company’s own decision-making authority through an incorrect database and/or information outflow to the competition (in the sense of industrial espionage), in the market (above all in terms of image loss) or to governmental bodies. Data security also needs to be distinguished from data security, which tends to be assigned to the area of ​​availability and disaster prevention.

Difference between privacy and data security

Data protection focuses primarily on personal data itself: what rights individuals have (request for information, request for deletion, etc.), what obligations organizations have (collection, processing, active deletion, etc.).
Figure 1: Data protection vs. data security
Data security, on the other hand, focuses primarily on the correctness and integrity of personal and business-critical data that serve as the basis for business decisions. Data security thus covers large areas of the technical implementation of data protection but goes beyond purely personal data in the data objects considered. Adequate data security is a central requirement for effective data protection. What both have in common, however, is the requirement to handle data appropriately to maintain the similar but differently valued protection goals of both disciplines.

Rules on data protection and data security

In most cases, you can’t have one without the other. Data protection and data security are almost inextricably linked and are not only based on the same legal requirements. Data protection defines the following basic rules, especially for data collection and processing:
  • Direct collection: Data may only be collected directly from the person involved.
  • Consent to data collection: This must actively consent to data collection.
  • Purpose limitation: the respective purpose of use must be clearly stated in the consent
  • Data avoidance and data economy: any data NOT necessary for the purpose of use must NOT be collected and stored
  • Rights of data subjects: Since the GDPR came into force, every individual also has significantly more comprehensive rights in relation to their data collected by an organization.
Disregarding these rules can result in severe penalties. Especially if it is not just about personal data, but specifically about content that is particularly worthy of protection. It makes more sense for organizations not only to think about backup mechanisms in the context of data security, but also to really actively invest in software, hardware, processes and advice that support the fulfillment of data protection requirements in the best possible way. In concrete terms, this means for data protection and data security: planning and implementing hardware, software and processes from the outset according to data security aspects, and above all regularly checking and testing them.

Data protection and data security in the legal books

The basis for data protection and data security are above all the following (German) laws, which are to be consulted for the definition and handling of data objects worthy of protection and the associated processes: The GDPR in particular has caused a stir and even more project activities in companies in recent years, as it sees many topics that were previously treated as individual aspects in a holistic context and, above all, the original owners of the data – i.e. the individuals – in their rights enormously strengthened. Since the GDPR came into force, penalties for enforcing or disregarding data protection have increased, depending on the severity and scope of the misconduct, up to the tens of millions of euros, which has meanwhile also made companies from less restrictive regions of the world aware of European data protection.

Implementation of data protection and data security

As a management and process competence, the Information Security Management System (ISMS) for the implementation of data protection and data security is at the top of the list of priorities, and in many companies, it is based on common ISO standards. Also included is the definition of clear roles and responsibilities as well as the mapping of all objects and processes that have historically developed around data worthy of protection or that are to be updated within the framework of corresponding project activities. This includes:
  • Structure of the ISMS mentioned with feedback mechanisms and continuous improvement
  • Appointment of internal or external data protection officers with a clear role description
  • Planning, implementation, and documentation of internal and external audits
  • Process, application, and data models, with a focus on personal and other critical data
  • Processes and tools for manual and automated test routines,
  • Raising employee awareness through training and information
In the area of ​​data security, the main technical measures can be found:
  • technical protective measures of any kind to harden or react to internal and external, provoked, but also to unwanted incidents,
  • Development of availability and disaster recovery technologies,
  • Data reduction, data anonymization, data masking,
  • Regular tests including documentation of relevant incident scenarios
With the complexity shown, many companies find it difficult to keep sufficient competence available. In the meantime, this has led to many external data protection officers, for example, who, as proven experts, can also evaluate and process special cases from different perspectives. The BSI also recently reported the increased training and certification of company-independent incident experts, who can be consulted for proactive advice as well as in the event of an emergency. Several software and service companies have also specialized in offering solutions and services in infrastructure and in complex application environments that take the complexity out of information security in general, data protection and data security. Especially in the context of highly complex SAP environments with thousands of active interfaces, vast numbers of development projects with internal and external developers and the most varied release and transport statuses based on them, there is an unbroken need for specialists who can use structured tools and methods to eliminate weak points, as the consultants from the Firnkorn and Stortz with the in-house standard tools as well as advice and support along the best practices of data protection and data security, but above all relevant customer experience have already proven umpteen times. Finally, such instances also contribute to the significant improvement of data protection and data security, which massively challenge exactly these – albeit in the name of the commissioning organization: penetration testers and ethical / white hat hackers.

Your contact at Firnkorn & Stortz on the subject of data protection and data security

Treten Sie mit uns in Kontakt

Stellen Sie uns Ihre Fragen!

Get in contact with us

Ask us your questions!