Get your tailored quote!

Or book an appointment here...

OR WHY NOT GIVE US A CALL ON:

(020) 3695 6452
Daido_Metal_UK
Elevate_Logo_RGB-1
MJ_Quinn_UK
1200px-IAPP_logo.svg
Telekom_logo
Finefair

Even though data protection and information security are implemented by entirely different business areas in most companies, the two concepts have much in common. And those who are aware of the synergies and know how to use them can save a lot of time and effort. We can show the ways in which data protection and information security can complement each other and why efficient interplay is becoming increasingly important.

What you need to know in a nutshell

  • In contrast to data protection, information security protects corporate assets.
  • IT security is once again distinct from information security, but is often mistakenly equated with it.
  • In addition to the GDPR, there are other laws that deal with information security.
  • A DPO takes care of the protection of data of affected persons, a CISO or ISB, on the other hand, solely takes care of the interests of the company.
  • It is most efficient for a company if the DPO and CISO or ISB work together.

In this article


The differences between information security, IT security and data protection

Before we discuss the similarities between data protection and information security, let us briefly look at the differences between the two terms:

Information security describes the protection of information and corporate values according to at least three objectives:

  • Confidentiality: data is only accessible to authorised persons
  • Integrity: no wrongful or unscheduled changes are possible
  • Availability: data can be restored after a server downtime, security incident, fire on premises, or other data loss

While there are international standards and norms that define information security requirements and measures for implementation, a legal framework only exists for specific cases. More information will follow soon.

By the way: The term ‘IT security’ is sometimes misleadingly taken as being synonymous to information security. However, IT security only describes all the processes and measures that are directly related to the IT systems or hardware security. For example, properly managing paper files is one of the issues surrounding information security, but not IT security.

 

Data privacy always refers to the protection of personal data. In contrast to information security, it is less about protecting information itself than about protecting the people behind the data. Since May 2018, the General Data Protection Regulation and the Data Protection Act 2018, have formed the legal basis for data privacy in the UK.

 

Why both data protection and information security are gaining in importance

A number of laws directly pertaining to data protection and information security have been introduced across the globe or amended over the past few years. This is partly due to rapid technical progress, digitisation and the associated risks (e.g., from cyberattacks and data leaks as well as the threat to the privacy of consumers).

Currently, in the UK the data protection and security framework is formed of the Data Protection Act 2018, UK General Data protection Regulation, Privacy and Electronic Communications Regulations, and Computer Misuse Act 1990.

Consumers, B2B customers, investors, employees and other stakeholders are also becoming more aware of data protection and information security. Unresolved data protection issues thus delay sales processes by an average of four weeks, sometimes even an entire year. And investors have companies undergo in-depth due diligence audits that scrutinise information security. Certifications – such as ISO 27001 and TISAX® – are becoming increasingly important in the battle to gain sales partners and customers.

By the way: While ISO 27001 is a common abbreviation, the technically correct term is ISO/IEC 27001.

As many companies know they need ISO 27001 certification, but have no idea how to approach it in practice, we designed a free to download roadmap. In it, you will find a step-by-step guide to implementing ISO 27001. 

Download Roadmap

Who is responsible for maintaining information security and data privacy?

Data protection and information security are considered “top priority” – this means that the key decisions (for example, risk decisions) are made by the top management and that the responsibility for mistakes is incumbent on the company’s management. The following roles primarily bring the necessary expertise for implementation:

The role of Data Protection Officer (DPO) is to inform and advise the top management as well as the employees of their data protection obligations, monitor compliance and provide advice and guidance in order to complain an adequate level of compliance. They analyse the current state of the personal data compliance and the level of data security and suggest ways to improve it. The DPO focuses on the implementation of data protection laws (such as the Data Protection Act 2018 and the UK GDPR) and the protection of the data subjects’ privacy. They must have ramifications across the organisation, because data protection ultimately affects each department of a company. The position is well suited for outsourcing, which means that a company can be supported by independent experts in terms of data protection. Please read this article to find out more about the responsibilities of a DPO.

The Chief Information Security Officer (CISO) or Information Security Officer (ISO)

Unlike the DPO, the CISO or ISO can fully concentrate on the company’s interests. They can do so because, in their position, they do not have to weigh up between protecting the people behind the data and business success. However, they have to manage another balancing act: the one between protecting information/assets and running a smooth business process. They usually report directly to the top management, while closely collaborating with the IT department and the compliance and legal teams.

 

 

CISO/ISO

Data Protection Officer

Tasks & responsibilities

  • Protection of company values/assets from attacks and data loss
  • Certifications according to ISO 27001/27002 or TISAX®  
  • Introduction of an information security management system
  • Selection of suitable methods and tools
  • Risk management and consulting for the company’s management
  • Cross-departmental communication
  • Data protection audit within the company
  • Consulting for the company’s management on compliance with data privacy laws
  • Reduction of the risk of data breaches/data privacy violations
  • Staff training
  • Preparation of relevant data privacy documentation
  • Consulting of the company and communicating with the authorities

Training

As a rule, IT specialists or computer scientists with advanced training / specialisation in the area of security and extensive professional experience Not infrequently, lawyers or economists with appropriate training

Who do they report to?

Normally, they are directly accountable to the company’s management

Pursuant to the UK GDPR provisions, the DPO is not obligated to follow instructions

Legally required?

No, their tasks and responsibilities are not prescribed by law and largely depend on the respective company and the rules to be adhered to. These do not include special cases in the public sector, for example

Yes, for most companies. UK GDPR also describes the DPO’s tasks and responsibilities in detail

Employment

Could be internal or external, depending on the company’s requirements and size.

Could be internal or external, depending on the company’s requirements. An internal DPO is protected against dismissal

Areas where data protection and compliance overlap – this is how companies can use synergies

In the meantime, it is common knowledge that international standards and best practices go a long way towards implementing various compliance tasks. ISO 27001 is the appropriate standard for the development of information security management systems. In addition to the technical equipment requirements, it also describes the security requirements for all processes and business activities of a company, as well as the qualifications and trustworthiness of the people involved – including not only the workforce and the management, but also the suppliers.

Conveniently, there are many areas where ISO 27001 and the UK GDPR overlap. These include:

  1. Technical data protection requirements: 32 of the UK GDPR sets very similar protection objectives as personal data protection requirements to those set for the basic principles of information security in ISO 27001.
    1. Technical and organisational measures (TOMs) should be implemented according to the state of the art (the wording is almost identical here).
    2. The controls set out in ISO 27001 are almost identical to the typical technical and organisational measures that are often implemented in accordance with the UK GDPR.
  1.  
  2. The core component of both subject areas is risk management (i.e., weighing up the probability of occurrence, damage, importance for the company's success or risks to the rights and freedoms of data subjects). In many cases, data protection impact is easier to assess if the results of an information security risk assessment are provided.

  3. In contrast to ISO 27001, the UK GDPR does not explicitly require that a management system be set up, but an integrated management system can help implement several regulatory requirements in an asset and process-oriented manner. And that doesn't stop with data protection and information security, but runs throughout compliance.
With an integrated management system, companies can move away from subject-specific silos towards centralised management of measures that focus on the entire process.

Summary: The Data Protection Officer and the CISO benefit from a process-oriented management system together with the compliance department

Imagine a dessert cook, head chef, sommelier and bartender working in the same hotel, who never communicate with each other. This would result in complicated supplier orders without volume discounts for menus that are neither consistent nor compatible with the wine list. In the kitchen, the cooks would constantly tread on one another’s toes and argue about fridge space. However, if the individual employees get together regularly, they can support each other, place large orders together and develop harmonious culinary ideas – with lower expenses.

In the same way, specialist departments that work in isolation on various data protection and compliance issues suffer from a much greater workload with worse results. And just like in a hotel, the focus should be placed on the process itself. Instead of culinary highlights, this would refer to safe, transparent and legally compliant processes.

Would you like to make better use of the synergies of data protection and information security? We’ll be happy to help you. At DataGuard, we offer consulting services in both areas and help companies to implement the requirements of the UK GDPR as well as carry out audits in accordance with ISO 27001.

Back to the top

What is your Goal Today?

1. Hire us to Stay compliant

DataGuard can become your partner in crime when it comes to data privacy and information security. Now, the next step is up to you. Feel free to either use more of our content to inform yourself about the relevant topics or reach out to us.

Claim your free consultation session

3. Contact Us

More than 1,500 customers already trust us to become GDPR compliant. Don’t hesitate - Let’s get in touch!

close