What is the difference between data protection and data security?
The terms "data protection" and "data security" are often used interchangeably. However, they are not congruent and address different approaches. Data security is the use of tools and techniques that protect data or information, such as network security, mobile data security, database security, identity management, encryption, etc. Data security protects this data from hackers or other unauthorized access.
Data protection is about the purposes for which personal data is collected and processed and on what legal basis. To better understand the objectives of data protection, you should take a closer look at the six principles of the General Data Protection Regulation:
- Lawfulness, fairness and transparency of processing
- Earmarking
- Data minimization
- Correctness
- Storage limitation
- Integrity and confidentiality
These six principles must be taken into account when complying with the GDPR or other data protection regulations based on the GDPR.
Why are data security and data protection important?
When we say that there can be data security without data privacy, we usually mean that when it comes to data security, while the data may be well protected from breaches or leaks with security tools and techniques such as anti-malware software, anomaly detection or firewalls, the data privacy principles may not have been applied as well and therefore may not be in line with the
data protection laws to protect the informational self-determination of consumers. This could mean that a company retains data without a legal basis, that it has collected too much or that it stores it for too long. It is quite possible that you are protecting data that you should not be storing at all.
Data protection management software like 2B Advice PrIME can help organizations understand how they stack up against the six principles of GDPR and help them develop a compliant data protection program. Good data security and data protection management go hand in hand to ensure you are keeping the right data safe.
How can data security and data protection reduce the risk of data breaches?
Data security and data protection not only make good business sense, they also reduce the risk and frequency of data breaches and data loss. Depending on which data protection regulations you fall under, the fines and penalties for compliance violations or data breaches can be very costly for a company. For particularly serious breaches, which are listed in Art. 83, para. 5 GDPR, the fine can be up to 20 million euros or, in the case of a company, up to four percent of its total worldwide turnover in the previous year, whichever is higher. However, the GDPR also provides for fines of up to EUR 10 million for less serious infringements or, in the case of a company, up to two percent of its total worldwide turnover in the previous year, whichever is higher.
In the US state of California, the CPRA Privacy Rights Act not only deals with data protection, but also obliges the companies concerned to take appropriate security precautions to protect personal data, thereby linking data security and data protection, as the companies must also protect the data held.
Under California's CPRA, administrative penalties of up to $2,500 per violation can be imposed (or three times that amount, $7,500, for willful violations or violations involving minors under the age of 16). In addition, California provides a right of action for consumers "whose unencrypted and unprotected personal information ... is subject to unauthorized access and disclosure, theft, or disclosure as a result of the business's failure to establish and maintain reasonable security procedures and practices ..." to file a civil lawsuit. Businesses that are victims of a data theft or other data security breach may be ordered to pay statutory damages of between $100 and $750 per California resident per incident or actual damages, whichever is greater, in civil class action lawsuits, as well as any other compensation a court deems appropriate, with the California Attorney General's Office having the option of prosecuting the business criminally rather than allowing civil actions to be brought against the business.
How can data protection and data security be guaranteed?
To ensure the security of data, companies generally use IT tools and techniques to protect networks, databases and mobile devices, e.g. VPNs, firewalls, anti-virus and anti-malware software as well as measures such as vulnerability scans, penetration tests, pseudonymization, encryption, etc. The aim is to protect sensitive data from hackers or other unauthorized access.
To ensure adequate data protection, companies need to identify what types of data they have and where it is stored. This should start with a data protection impact assessment, especially if the GDPR applies to them and the data may be sensitive or high-risk. Article 35 GDPR explains this:
Where a form of processing, in particular when using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons due to the nature, scope, context and purposes of the processing, the controller shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data beforehand.
Once an organization has completed the data protection impact assessment, it is useful to have a place to document the processing activities identified and the processors involved, as well as a reporting function to demonstrate compliance with accountability. It is very useful to use a scalable data protection management software solution to conserve scarce resources.
Why is data security so important?
Data security is an important aspect of running a business of any size, whether it's a startup or a global corporation with thousands of employees. By ensuring adequate security of personal data that your company collects, receives, stores and transmits, you can minimize the number of data breaches your company could suffer. A data breach can cost a company thousands of euros in fines, and not only that, data breaches can cause significant damage, including loss of revenue and damage to brand value by affecting consumer perception and trust in a company.
What is the role of data security?
The task of data security is to protect the data that your company collects, receives, stores and forwards. Companies can use a range of IT tools and techniques for data security. It also plays an important role in maintaining security and data protection compliance.
Why is it important to know the difference between data security and data protection?
It is important to know the difference between data security and data protection, because the difference lies in what data is protected, how this data is processed and who is responsible for protecting the data. Data security is about protecting data from data loss, through unauthorized access via security breaches, leaks, etc., while data privacy is about the responsible use of data with the consent of the data subject, be it an employee or a customer. Knowing the difference is the first step to adequately protecting your data.
What is personal data?
Personal data obviously includes key identifiers such as social security number, passport number, driver's license and date of birth, which, if known or lost, could be used for identity theft. However, there are many other types of data that are considered personal data, such as internal knowledge or preference factors, financial data, medical or health data, historical, social or external factors such as unique identifiers, ethnicity, sexual, demographic or physical characteristics. The GDPR even includes web identifiers such as IP address, cell phone number or geolocation.
Who is responsible for data security?
In most companies, responsibility for data security lies with the IT department, which is headed by the Chief Information Officer (CIO) or IT Director. In more and more companies, there is also an independent department for data security, which is headed by a Chief Security Officer (CISO) or Information Security Officer.