What you need to know in a nutshell
- In contrast to data protection, information security protects corporate assets.
- IT security is once again distinct from information security, but is often mistakenly equated with it.
- In addition to the GDPR, there are other laws that deal with information security.
- A DPO takes care of the protection of data of affected persons, a CISO or ISB, on the other hand, solely takes care of the interests of the company.
- It is most efficient for a company if the DPO and CISO or ISB work together.
In this article
- The difference between information security, IT security and data protection
- Why both data protection and information security are gaining in importance
- Who is responsible for maintaining information security data privacy?
- Areas where data protection and compliance overlap - this is how companies can use synergies
- Summary: The Data Protection Officer and the CISO benefit from a process-oriented management system together with the compliance department
The differences between information security, IT security and data protection
Before we discuss the similarities between data protection and information security, let us briefly look at the differences between the two terms:
Information security describes the protection of information and corporate values according to at least three objectives:
|
While there are international standards and norms that define information security requirements and measures for implementation, a legal framework only exists for specific cases. More information will follow soon.
By the way: The term ‘IT security’ is sometimes misleadingly taken as being synonymous to information security. However, IT security only describes all the processes and measures that are directly related to the IT systems or hardware security. For example, properly managing paper files is one of the issues surrounding information security, but not IT security.
Data privacy always refers to the protection of personal data. In contrast to information security, it is less about protecting information itself than about protecting the people behind the data. Since May 2018, the General Data Protection Regulation and the Data Protection Act 2018, have formed the legal basis for data privacy in the UK.
Why both data protection and information security are gaining in importance
A number of laws directly pertaining to data protection and information security have been introduced across the globe or amended over the past few years. This is partly due to rapid technical progress, digitisation and the associated risks (e.g., from cyberattacks and data leaks as well as the threat to the privacy of consumers).
Currently, in the UK the data protection and security framework is formed of the Data Protection Act 2018, UK General Data protection Regulation, Privacy and Electronic Communications Regulations, and Computer Misuse Act 1990.
Consumers, B2B customers, investors, employees and other stakeholders are also becoming more aware of data protection and information security. Unresolved data protection issues thus delay sales processes by an average of four weeks, sometimes even an entire year. And investors have companies undergo in-depth due diligence audits that scrutinise information security. Certifications – such as ISO 27001 and TISAX® – are becoming increasingly important in the battle to gain sales partners and customers.
By the way: While ISO 27001 is a common abbreviation, the technically correct term is ISO/IEC 27001.
As many companies know they need ISO 27001 certification, but have no idea how to approach it in practice, we designed a free to download roadmap. In it, you will find a step-by-step guide to implementing ISO 27001.
Who is responsible for maintaining information security and data privacy?
Data protection and information security are considered “top priority” – this means that the key decisions (for example, risk decisions) are made by the top management and that the responsibility for mistakes is incumbent on the company’s management. The following roles primarily bring the necessary expertise for implementation:
The role of Data Protection Officer (DPO) is to inform and advise the top management as well as the employees of their data protection obligations, monitor compliance and provide advice and guidance in order to complain an adequate level of compliance. They analyse the current state of the personal data compliance and the level of data security and suggest ways to improve it. The DPO focuses on the implementation of data protection laws (such as the Data Protection Act 2018 and the UK GDPR) and the protection of the data subjects’ privacy. They must have ramifications across the organisation, because data protection ultimately affects each department of a company. The position is well suited for outsourcing, which means that a company can be supported by independent experts in terms of data protection. Please read this article to find out more about the responsibilities of a DPO.
The Chief Information Security Officer (CISO) or Information Security Officer (ISO)
Unlike the DPO, the CISO or ISO can fully concentrate on the company’s interests. They can do so because, in their position, they do not have to weigh up between protecting the people behind the data and business success. However, they have to manage another balancing act: the one between protecting information/assets and running a smooth business process. They usually report directly to the top management, while closely collaborating with the IT department and the compliance and legal teams.
|
|
CISO/ISO |
Data Protection Officer |
|
Tasks & responsibilities |
|
|
|
Training |
As a rule, IT specialists or computer scientists with advanced training / specialisation in the area of security and extensive professional experience | Not infrequently, lawyers or economists with appropriate training |
|
Who do they report to? |
Normally, they are directly accountable to the company’s management |
Pursuant to the UK GDPR provisions, the DPO is not obligated to follow instructions |
|
Legally required? |
No, their tasks and responsibilities are not prescribed by law and largely depend on the respective company and the rules to be adhered to. These do not include special cases in the public sector, for example |
Yes, for most companies. UK GDPR also describes the DPO’s tasks and responsibilities in detail |
|
Employment |
Could be internal or external, depending on the company’s requirements and size. |
Could be internal or external, depending on the company’s requirements. An internal DPO is protected against dismissal |
Areas where data protection and compliance overlap – this is how companies can use synergies
In the meantime, it is common knowledge that international standards and best practices go a long way towards implementing various compliance tasks. ISO 27001 is the appropriate standard for the development of information security management systems. In addition to the technical equipment requirements, it also describes the security requirements for all processes and business activities of a company, as well as the qualifications and trustworthiness of the people involved – including not only the workforce and the management, but also the suppliers.
Conveniently, there are many areas where ISO 27001 and the UK GDPR overlap. These include:
- Technical data protection requirements: 32 of the UK GDPR sets very similar protection objectives as personal data protection requirements to those set for the basic principles of information security in ISO 27001.
-
- Technical and organisational measures (TOMs) should be implemented according to the state of the art (the wording is almost identical here).
- The controls set out in ISO 27001 are almost identical to the typical technical and organisational measures that are often implemented in accordance with the UK GDPR.
- The core component of both subject areas is risk management (i.e., weighing up the probability of occurrence, damage, importance for the company's success or risks to the rights and freedoms of data subjects). In many cases, data protection impact is easier to assess if the results of an information security risk assessment are provided.
- In contrast to ISO 27001, the UK GDPR does not explicitly require that a management system be set up, but an integrated management system can help implement several regulatory requirements in an asset and process-oriented manner. And that doesn't stop with data protection and information security, but runs throughout compliance.
Summary: The Data Protection Officer and the CISO benefit from a process-oriented management system together with the compliance department
Imagine a dessert cook, head chef, sommelier and bartender working in the same hotel, who never communicate with each other. This would result in complicated supplier orders without volume discounts for menus that are neither consistent nor compatible with the wine list. In the kitchen, the cooks would constantly tread on one another’s toes and argue about fridge space. However, if the individual employees get together regularly, they can support each other, place large orders together and develop harmonious culinary ideas – with lower expenses.
In the same way, specialist departments that work in isolation on various data protection and compliance issues suffer from a much greater workload with worse results. And just like in a hotel, the focus should be placed on the process itself. Instead of culinary highlights, this would refer to safe, transparent and legally compliant processes.
Would you like to make better use of the synergies of data protection and information security? We’ll be happy to help you.
At DataGuard, we offer consulting services in both areas and help companies to implement the requirements of the UK GDPR as well as carry out audits in accordance with ISO 27001. Get in touch with us today:
