Available at a fixed monthly cost

Get your quote today

What we offer at a glance

  • Get an external data protection officer
  • Audit of your data privacy status quo
  • GDPR support for small businesses and large corporations
  • Personal contact person & individual support
  • Easier communication with authorities
  • 100+ experts from the fields of law, economics & IT

Don't trust us, trust them:

Jedox  Logo Contact Demodesk Logo Contact Elevate Logo Contact Canon  Logo Contact CBTL Logo Contact Alasco  Logo Contact RightNow Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact

Learn more about our prices & services

or call us now: (020) 36956 452

Information security and data protection: efficiency through synergies

Even though data protection and information security are implemented by entirely different business areas in most companies, the two concepts have much in common. And those who are aware of the synergies and know how to use them can save a lot of time and effort. We can show the ways in which data protection and information security can complement each other and why efficient interplay is becoming increasingly important.

What you need to know in a nutshell

  • In contrast to data protection, information security protects corporate assets.
  • IT security is once again distinct from information security, but is often mistakenly equated with it.
  • In addition to the GDPR, there are other laws that deal with information security.
  • A DPO takes care of the protection of data of affected persons, a CISO or ISB, on the other hand, solely takes care of the interests of the company.
  • It is most efficient for a company if the DPO and CISO or ISB work together.

In this article


The differences between information security, IT security and data protection

Before we discuss the similarities between data protection and information security, let us briefly look at the differences between the two terms:

Information security describes the protection of information and corporate values according to at least three objectives:

  • Confidentiality: data is only accessible to authorised persons
  • Integrity: no wrongful or unscheduled changes are possible
  • Availability: data can be restored after a server downtime, security incident, fire on premises, or other data loss

While there are international standards and norms that define information security requirements and measures for implementation, a legal framework only exists for specific cases. More information will follow soon.

By the way: The term ‘IT security’ is sometimes misleadingly taken as being synonymous to information security. However, IT security only describes all the processes and measures that are directly related to the IT systems or hardware security. For example, properly managing paper files is one of the issues surrounding information security, but not IT security.

 

Data privacy always refers to the protection of personal data. In contrast to information security, it is less about protecting information itself than about protecting the people behind the data. Since May 2018, the General Data Protection Regulation and the Data Protection Act 2018, have formed the legal basis for data privacy in the UK.

Why both data protection and information security are gaining in importance

A number of laws directly pertaining to data protection and information security have been introduced across the globe or amended over the past few years. This is partly due to rapid technical progress, digitisation and the associated risks (e.g., from cyberattacks and data leaks as well as the threat to the privacy of consumers).

Currently, in the UK the data protection and security framework is formed of the Data Protection Act 2018, UK General Data protection Regulation, Privacy and Electronic Communications Regulations, and Computer Misuse Act 1990.

Consumers, B2B customers, investors, employees and other stakeholders are also becoming more aware of data protection and information security. Unresolved data protection issues thus delay sales processes by an average of four weeks, sometimes even an entire year. And investors have companies undergo in-depth due diligence audits that scrutinise information security. Certifications – such as ISO 27001 and TISAX® – are becoming increasingly important in the battle to gain sales partners and customers.

By the way: While ISO 27001 is a common abbreviation, the technically correct term is ISO/IEC 27001.

As many companies know they need ISO 27001 certification, but have no idea how to approach it in practice, we designed a free to download roadmap. In it, you will find a step-by-step guide to implementing ISO 27001. 

ISO 27001 Implementation Roadmap

Who is responsible for maintaining information security and data privacy?

Data protection and information security are considered “top priority” – this means that the key decisions (for example, risk decisions) are made by the top management and that the responsibility for mistakes is incumbent on the company’s management. The following roles primarily bring the necessary expertise for implementation:

The role of Data Protection Officer (DPO) is to inform and advise the top management as well as the employees of their data protection obligations, monitor compliance and provide advice and guidance in order to complain an adequate level of compliance. They analyse the current state of the personal data compliance and the level of data security and suggest ways to improve it. The DPO focuses on the implementation of data protection laws (such as the Data Protection Act 2018 and the UK GDPR) and the protection of the data subjects’ privacy. They must have ramifications across the organisation, because data protection ultimately affects each department of a company. The position is well suited for outsourcing, which means that a company can be supported by independent experts in terms of data protection. Please read this article to find out more about the responsibilities of a DPO.

The Chief Information Security Officer (CISO) or Information Security Officer (ISO)

Unlike the DPO, the CISO or ISO can fully concentrate on the company’s interests. They can do so because, in their position, they do not have to weigh up between protecting the people behind the data and business success. However, they have to manage another balancing act: the one between protecting information/assets and running a smooth business process. They usually report directly to the top management, while closely collaborating with the IT department and the compliance and legal teams.

 

 

CISO/ISO

Data Protection Officer

Tasks & responsibilities

  • Protection of company values/assets from attacks and data loss
  • Certifications according to ISO 27001/27002 or TISAX®  
  • Introduction of an information security management system
  • Selection of suitable methods and tools
  • Risk management and consulting for the company’s management
  • Cross-departmental communication
  • Data protection audit within the company
  • Consulting for the company’s management on compliance with data privacy laws
  • Reduction of the risk of data breaches/data privacy violations
  • Staff training
  • Preparation of relevant data privacy documentation
  • Consulting of the company and communicating with the authorities

Training

As a rule, IT specialists or computer scientists with advanced training / specialisation in the area of security and extensive professional experience Not infrequently, lawyers or economists with appropriate training

Who do they report to?

Normally, they are directly accountable to the company’s management

Pursuant to the UK GDPR provisions, the DPO is not obligated to follow instructions

Legally required?

No, their tasks and responsibilities are not prescribed by law and largely depend on the respective company and the rules to be adhered to. These do not include special cases in the public sector, for example

Yes, for most companies. UK GDPR also describes the DPO’s tasks and responsibilities in detail

Employment

Could be internal or external, depending on the company’s requirements and size.

Could be internal or external, depending on the company’s requirements. An internal DPO is protected against dismissal

Areas where data protection and compliance overlap – this is how companies can use synergies

In the meantime, it is common knowledge that international standards and best practices go a long way towards implementing various compliance tasks. ISO 27001 is the appropriate standard for the development of information security management systems. In addition to the technical equipment requirements, it also describes the security requirements for all processes and business activities of a company, as well as the qualifications and trustworthiness of the people involved – including not only the workforce and the management, but also the suppliers.

Conveniently, there are many areas where ISO 27001 and the UK GDPR overlap. These include:

  1. Technical data protection requirements: 32 of the UK GDPR sets very similar protection objectives as personal data protection requirements to those set for the basic principles of information security in ISO 27001.
    1. Technical and organisational measures (TOMs) should be implemented according to the state of the art (the wording is almost identical here).
    2. The controls set out in ISO 27001 are almost identical to the typical technical and organisational measures that are often implemented in accordance with the UK GDPR.
  1.  
  2. The core component of both subject areas is risk management (i.e., weighing up the probability of occurrence, damage, importance for the company's success or risks to the rights and freedoms of data subjects). In many cases, data protection impact is easier to assess if the results of an information security risk assessment are provided.

  3. In contrast to ISO 27001, the UK GDPR does not explicitly require that a management system be set up, but an integrated management system can help implement several regulatory requirements in an asset and process-oriented manner. And that doesn't stop with data protection and information security, but runs throughout compliance.
With an integrated management system, companies can move away from subject-specific silos towards centralised management of measures that focus on the entire process.

Summary: The Data Protection Officer and the CISO benefit from a process-oriented management system together with the compliance department

Imagine a dessert cook, head chef, sommelier and bartender working in the same hotel, who never communicate with each other. This would result in complicated supplier orders without volume discounts for menus that are neither consistent nor compatible with the wine list. In the kitchen, the cooks would constantly tread on one another’s toes and argue about fridge space. However, if the individual employees get together regularly, they can support each other, place large orders together and develop harmonious culinary ideas – with lower expenses.

In the same way, specialist departments that work in isolation on various data protection and compliance issues suffer from a much greater workload with worse results. And just like in a hotel, the focus should be placed on the process itself. Instead of culinary highlights, this would refer to safe, transparent and legally compliant processes.

Would you like to make better use of the synergies of data protection and information security? We’ll be happy to help you.

At DataGuard, we offer consulting services in both areas and help companies to implement the requirements of the UK GDPR as well as carry out audits in accordance with ISO 27001. Get in touch with us today:Book an appointment

   Back to the top

About the author

Tobias Forbes Tobias Forbes
Tobias Forbes

Tobias Forbes is a certified Data Protection Officer and ISO/IEC 27001 Officer and Auditor. Since 2020, he has been working as a Privacy Tech Consultant at DataGuard. As an economist, he has been advising customers of various industries and sizes on IT compliance issues, in particular data protection and information security, since 2015. In the process, he has worked for large financial services and logistics companies as well as a variety of tech companies, among others. After completing his bachelor's and master's degrees in economics, he is currently pursuing a master's degree in compliance, IT and data protection to deepen his professional knowledge. With his interdisciplinary skills in business, IT and data protection, Tobias helps customers of all sizes to meet regulatory requirements and equip their system landscapes with the appropriate security measures.

Explore more articles