Data Protection and Information Security are two related but distinct concepts that are often confused or used interchangeably. In this blog post, we will compare and contrast these two terms and explain why they are both important for organizations and individuals.
Overview
Data protection refers to the legal and ethical obligations to safeguard the privacy, confidentiality and integrity of personal data. Personal data is any information that can identify a living individual, such as name, address, email, phone number, health records, financial details, etc. Data protection laws and regulations aim to protect the rights and interests of data subjects (the individuals whose data is processed) and to ensure that data controllers (the organizations or persons who determine the purposes and means of data processing) and data processors (the organizations or persons who carry out data processing on behalf of data controllers) comply with certain principles and obligations when handling personal data. Some examples of data protection laws are the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in the United States, and the Personal Data Protection Act (PDPA) in Singapore.
Information security, on the other hand, refers to the technical and organizational measures to protect information assets from unauthorized access, use, disclosure, modification or destruction. Information assets include not only personal data, but also any other information that has value for an organization or an individual, such as trade secrets, intellectual property, business plans, customer lists, etc. Information security standards and frameworks aim to provide guidance and best practices for implementing effective security controls and processes to prevent, detect and respond to information security incidents and breaches. Some examples of Information Security standards are the ISO/IEC 27000 series, the NIST Cybersecurity Framework, and the CIS Controls.
Compare and Contrast
The main difference between Data Protection and Information Security is that Data Protection focuses on the rights and interests of data subjects, while Information Security focuses on the value and risks of information assets. Data Protection is more concerned with the legal and ethical aspects of data processing, while Information Security is more concerned with the technical and operational aspects of data protection. Data Protection is mainly driven by external factors, such as laws and regulations, customer expectations, and public opinion, while Information Security is mainly driven by internal factors, such as business objectives, risk appetite, and organizational culture.
Principle | Data Protection | Information Security |
Transparency for Data Subjects | Fundamental principle of data protection law. In GDPR, it is covered under several articles and recitals– Art 5(1)(a), Art 24, Art 25, Art 30, Art 35, and Recitals 39, 58, 60, 74, 78, and 100. | No such transparency principles exist directly. |
Purpose Limitation | Obligation to process data only for the purpose for which they were collected. In GDPR, Art 5(1)(c) and Art 6(4) covers the same. | No such principle exits |
Data Minimization | Closely related principle of Purpose Limitation. personal data must be adequate and relevant to the purpose and limited to what is necessary. Also, in Art 5(1)(c) of GDPR. | No such principle exists. However, there are principles of data retention, which refer more to the length of the storing the data, have existed for decades. |
Storage Limitation | Personal data may only be stored in a form that permits identification of the data subjects for as long as is necessary for the purposes for which they are processed. Art 5(1)(e) of GDPR. | Partially covered with the principle of data retention. |
Integrity | Ensure protection against unauthorized modifications and deletions. Personal data may only be processed in such a way that ensures protection against accidental loss, or destruction, or damage by appropriate technical and organizational measures. | Property of accuracy and completeness. The definition and requirements of integrity in information security are broader than data protection. It refers to data and the systems and programs that process and store the data.
Integrity is the protection of system data from intentional or accidental unauthorized changes. There are three goals of integrity, which the models address in various ways:
|
Confidentiality | According to Article 5 (1)(f) confidentiality of personal data means that it is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’). | Confidentiality refers to preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. |
Accountability and Verifiability | Accountability means to ensure and to be able to demonstrate the compliance with privacy and data protection principles (or legal requirements). This requires clear responsibilities, internal and external auditing and controlling of all data processing.
Article 5 (2) GDPR states that a controller shall be responsible for, and be able to demonstrate compliance with the GDPR principles which are described in Article 5 (1) GDPR. | The principle that an individual is entrusted to safeguard and control equipment, keying material, and information and is answerable to proper authority for the loss or misuse of that equipment or information. |
Identification and Authentication | Authentication is key to securing computer systems and is usually the very first step in using a remote service or facility and performing access control. Strong authentication may also be a key privacy mechanism when used to ensure that only a data subject, or authorized parties, may access private information | Identification is the process of discovering the identity (i.e., origin or initial history) of a person or item from the entire collection of similar people or items.
Identification and authentication are the process of establishing the identity of an entity interacting with a system. |
Privacy rights for data subjects | Individuals have right to access and rectify as well as (constrained) to block and erase their personal data. Further they have the right to withdraw given consent with effect for the future. These rights should be supported in a way that individuals can effectively and conveniently exercise their rights. The implementation, or at least support, of these rights is promoted by the privacy by design principle that demands considering the user and the one that stipulates privacy by default. | No such transparency principles exist.
Although, by virtue of using a product or service, the data subjects may have access to some of their data or can perform certain actions. |
Data portability | Article 20 GDPR introduces the right to data portability allowing data subjects to receive their personal data and transmit it to another controller. | No such transparency principles exist directly.
|
Automated processing | Automated Processing of personal data means any operation on personal data carried out in automated processing systems.
| No such requirement exists. |
Freedom from error and discrimination in profiling | Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
| No such requirement exists. |
Business Continuity and Disaster Recovery | There is no direct requirement of Business Continuity. However, there are clear principles of Privacy by Design and Default, Data Breach Notification requirements and stringent penalties, there is a strong need to recover from business when personal data of data subjects is involved. | Contingency planning for information systems is a required process for developing general support systems and major applications with appropriate backup methods and procedures for implementing data recovery and reconstitution against IT risks.
There can be additional requirements from sectorial legislations. |
Data Breach Notification | A breach of security occurs that is likely to result in a high risk to the personality or fundamental rights of the individual.
Article 33 GDPR outlines required actions for companies experiencing data breaches to take. | Local, regional, and national legislations worldwide have data breach notification requirements. |
Risk Assessment | Regulations like GDPR requires organizations to perform DPIA, TIA and PIA to assess risks to the fundamental rights of data subjects. | Information Security Frameworks like NIST and ISO are risk-based frameworks. Organizations can perform security risk assessments to ensure the principles confidentiality, integrity and availability are appropriately met. |
Legal Basis of Data Processing or Lawfulness | According to European data protection law, the processing of personal data is only allowed if (a) the individual whose personal data are being processed (in the European legal framework called “data subject”) has unambiguously given consent, or processing is necessary (b) for the performance of a contract, (c) for compliance with a legal obligation, (d) in order to protect vital interests of the data subject, (e) for the performance of a task carried out in the public interest, or (f) for the purposes of legitimate interests pursued by the data processing entities if such interests are not overridden by the fundamental rights and freedoms of the data subject. | Unless organizations are under sectorial legislations, there are not such requirement. |
Common, Practical Controls
Here are some practical tips on how you can improve your data protection and information security in your organization:
Conduct a data protection impact assessment (DPIA) to identify the types of personal data you collect, process, store, and share, and the risks associated with them.
Implement a data protection policy that defines the roles and responsibilities of your staff, the purposes and legal bases of your data processing activities, the rights of your data subjects, and the measures you take to protect their data.
Provide regular training and awareness programs for your staff on data protection principles and best practices.
Obtain valid consent from your data subjects before collecting or processing their personal data, unless you have another lawful basis.
Respect the data minimization principle and only collect and process the personal data that is necessary for your specific purposes.
Implement a retention policy that specifies how long you keep your personal data and how you dispose of it securely when it is no longer needed.
Use encryption, pseudonymization, or anonymization techniques to protect your personal data from unauthorized access or disclosure.
Establish a clear procedure for responding to data subject requests (DSRs), such as access requests or deletion requests.
Notify your supervisory authority and your data subjects in case of a personal data breach within 72 hours.
Review and update your contracts with third-party service providers that process personal data on your behalf to ensure they comply with your data protection obligations.
Conduct an information security risk assessment (ISRA) to identify the assets, threats, vulnerabilities, impacts, and likelihoods of your information systems.
Implement an information security policy that defines the objectives, scope, roles and responsibilities of your staff, the rules and procedures for accessing and using your information systems, and the measures you take to protect them.
Provide regular training and awareness programs for your staff on information security principles and best practices.
Use strong passwords or multi-factor authentication (MFA) to secure your accounts and devices.
Use antivirus software, firewalls, VPNs (virtual private networks), or other tools to protect your devices from malware or unauthorized access.
Update your software and applications regularly to fix any security patches or bugs.
Backup your data regularly to prevent loss or corruption due to hardware failure or cyberattack.
Implement a disaster recovery plan (DRP) that specifies how you restore your information systems in case of a major incident or disruption.
Monitor your information systems for any suspicious or anomalous activities or events.
Report any information security incidents or breaches to your management or relevant authorities as soon as possible.
Conclusion
While data protection and information security have different scopes and objectives, they are both interdependent and complementary.
Data protection cannot be achieved without information security. Data protection requires information security as a means to achieve its goals. Without adequate security controls and processes, personal data cannot be protected from unauthorized or unlawful processing, as any breach or compromise of data security could result in a violation of data protection laws and principles.
Likewise, information security cannot be effective without data protection, as any misuse or mishandling of personal data could undermine the trust and reputation of the organization and expose it to legal and regulatory sanctions. By complying with data protection laws and regulations, organizations can enhance their security posture and reputation.
Moreover, both data protection and information security share common principles and objectives, such as confidentiality, integrity, availability, accountability, transparency, and resilience. Therefore, organizations need to adopt a holistic approach that integrates both data protection and information security into their policies, processes, and practices.
As we specialize in data protection and information program management including ISO 27001 and ISO 27701 certification, you can always contact us if you need help with your ISMS and PIMS programs.
References
December 2014, ENISA, Privacy and Data Protection by Design - from policy to engineering. Privacy and Data Protection by Design — ENISA (europa.eu)
ISO 27001:2022 (ISO), ISO/IEC 27002:2022(en), Information security, cybersecurity and privacy protection — Information security controls
NIST Glossary, Glossary | CSRC (nist.gov)
United States. Congress. House. Committee on Science S and Technology, NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017 : report together with minority views (to accompany H.R. 1224) (including cost estimate of the Congressional Budget Office) (U.S. Government Publishing Office 2017)
United States. Joint Task Force Transformation Initiative. and National Institute of Standards and Technology (U.S.), Security and privacy controls for federal information systems and organizations (U.S. Dept. of Commerce, National Institute of Standards and Technology, 2023)
, General Data Protection Regulation (European Union 2016)
Kuner C and others, The EU General Data Protection Regulation (GDPR) : a commentary (Oxford University Press, 2020)