Digitalisation is rapidly on the rise, with more content being moved to the cloud. This increases the quantity of data that needs protection worldwide. Data protection and data security are crucial for all companies. Single database hacks – with the breach at the Marriott hotel group being a recent example of how unprotected data can affect millions of customers at once. A massive data breach relating to corona emergency aid packages in Italy also made headlines recently. One casual glance at botnets carrying out attacks in real time on a world map will leave your head spinning. A cynic might be tempted to say: either you’ve been hacked before, or you just don’t know it yet. In other words, mere theoretic demands for data protection don’t cut it. Instead, the focus should be placed on technical and organisational ways of realising data protection – that is, on data security.
What you need to know, in a nutshell
- Data security is a prerequisite for data protection, which is impossible without technical and organisational measures
- Technical measures must always be state of the art
- The Internet is a major weak spot, and this is where data security comes into play
- A good cloud provider can massively increase data security
- Additional measures to secure data can be identified by including an outside perspective
In this article
- What is the relationship between data protection and data security?
- What legal foundations underpin data security?
- For which parties is data security particularly relevant?
- Which areas are covered by data security?
- What are easy ways to improve data security?
- Does the cloud increase data security?
- What data security standards are there?
- How can one’s own data security be audited?
What is the relationship between data protection and data security?
Data protection is impossible without data security. With vast quantities of data being stored all over the globe, certain technical and organisational measures are necessary to guarantee a certain level of data security. Data security is always relative, and never an absolute concept. In fact, specific risks and threats always inform which measures should be taken. Balancing these risks and threats is essential for optimal data protection.
What legal foundations underpin data security?
Data security is a desired state, and the protection of personal data derives from the provisions of the General Data Protection Regulation (EU GDPR or UK GDPR respectively). It defines the data protection objectives of confidentiality, integrity, and availability. These objectives can only be achieved under consideration of technical aspects, which brings us to the field of data security. Article 32 of the UK GDPR specifically requires that “appropriate technical and organisational measures [are taken] to ensure a level of security appropriate to the risk”. The UK GDPR also urges to keep up with new developments and security measures.
For which parties is data security particularly relevant?
Article 9 of the UK GDPR defines special categories of personal data that are particularly vulnerable and need to be protected at all costs, including data related to health and political opinion as well as data concerning sexual orientation. Those who process particularly vulnerable data must make great efforts to protect them. Sensitive data in payment transactions and account details do not fall under Article 9 of the UK GDPR by their definition. However, financial institutions processing valuable data are fully aware that the requirements for data security are exceptionally high.
You're not sure whether data security is relevant for you? No problem! Our experts will be more than happy to support you with every question.
Which areas are covered by data security?
Taken as a whole, data security is generally a combination of various control measures. These include controls on access, transfer, entry, orders, and availability. Another important aspect is “multi-client capability”. In IT, this is the concept of the separability of data, i.e., the option of having different users work within a system without having access to the data of other users.
What are easy ways to improve data security?
The effectiveness of the measures and actions you take always depend on the specific case. Open Internet ports are, however, the major weak spot of any system. If possible, the simplest security measure that can be taken for locally running systems is simply to pull the plug and disconnect them from the Internet altogether – this massively reduces the risk of attack. Anyone who wants to enter the system must be physically present to do so. An experienced consultant will be able to identify additional measures for individual situations, which have the same effect as flipping a switch: ten seconds of effort, substantial level of impact.
Does the cloud increase my data security?
It might seem curious at first, even with the Internet presenting the most obvious point of attack, a move to the cloud can boost data protection and data security. In doing so, there should be extra precautions, and it’s imperative to carefully select a serious cloud provider. The mere question of where the servers are physically located (e.g. within or outside the UK) has data protection implications. After finding a provider with high standards, however, using the cloud can massively increase data security, especially for small companies. This also happens to be the case for many public authorities, who have failed to act on this matter for a long time. By moving their data to a secure cloud, companies are placing their trust in the hands of pros, who make backups in addition to monitoring and protecting the servers. These experts also do something that is especially important given the coronavirus restrictions that are currently in place: they can guarantee the availability of data at all times – data without which working from home would not be possible in the first place.
What data security standards are there?
The Network and Information Systems Regulations 2018 is a regulation aimed at improving cybersecurity in the UK. The National Cyber Security Centre and the Information Commissioner´s Office (ICO) regularly issues guidance and advice for organisations in the UK.
It comprises important recommended actions for all fields of IT. A relevant international cybersecurity standard is ISO 27001. Companies can be certified under different standards as well as under ISO 27001. There are also standards compatible with the requirements under ISO 27001, but tailored to the capacities and needs of SMEs and larger companies respectively.
With this in mind, larger companies, may establish a Security Operations Centre (SOC) or implement a SIEM solution (Security Information and Event Management). Traditionally, only large companies would establish an SOC however, SOCs are now relevant for SMEs as well because many of them are now data businesses and the risk of cyber-attacks and breaches is now higher. SOCs can analyse all data traffic using algorithms and identify conspicuous events in their network.
How can one’s own data security be audited?
There’s no need to beat around the bush here. If your company IT operations have been a “side task” of one of your colleagues in another department for years or even decades, it’s time to get an outside perspective.
Long-standing routines might leave one blinkered and generally unable to adequately judge risks that never stop developing. External data security experts can carry out a penetration test during a security analysis, inspecting all your system components for weaknesses. You can run through attack scenarios together and develop suitable countermeasures.
If you are interested in getting deeper information about the costs of a data privacy audit or if you are looking for an external DPO, feel free to reach out to our experts!