At today’s Dublin’s TechConnect conference, I had the opportunity to present my arguments as to why information security and data protection must be considered as two separate disciplines, regardless of the overlap between them.
You can obtain a copy of my presentation here, but let me summarise the main points:
Defining information security and data protection
I have adopted the following definitions for these two disciplines:
Information Security:
The organisation’s measures to protect against the unauthorised use of its information, especially electronic data, or the measures taken to achieve this.
Data Protection:
An individual’s legal control over access to and use of personal data stored in files, so effecting the right to privacy with regard to personal data.
Adopting these definitions underscores that in respect of information security, and thinking about the scope of ISO27001, the focus is on the organisation and the preservation by it of the confidentiality, integrity and availability of information. Conversely, the focus of data protection is the individual’s rights in respect of their data, and their protection from the risks associated with the use of their personal data.
Convergence
I have separately considered whether there is a convergence between what I consider to be two disciplines.
If you look at the fundamental principles of data protection, as embodied for instance in the GDPR, they clearly do not have their footing in information security. These are pure privacy rights guided by the EU Charter of Fundamental Rights, and The Modernised Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
However, within data protection there is the principle of data security which, in the manner of ISO27001, is based on the availability, confidentiality and integrity of personal data.
I don’t believe this makes information security a sub-set of data protection. Yet, information security professionals often see data protection as a sub-set of security. For instance, one leading standards institute says:
“By adopting ISO/IEC 27001 as your best practice framework you’ll be in a good position to identify your requirements for the EU GDPR, as well as implement appropriate controls and any additional measures required.”
As a statement, I believe this to be both misleading and wrong.
Whilst if I was forced to choose I would argue it is more correct to say information security should be considered a constituent element of data protection (and not vice versa), I prefer to maintain the position these are in fact complementary, but entirely different, disciplines.
Information security can be used to support data protection strategies
There are potentially eight key design strategies for data protection:
- Data minimisation
- Separation of data
- Abstraction of data
- Hiding of data
- Transparency of data utilisation
- Enforcement of data policies and procedures
- Effective control over data utilisation
- Demonstration of compliance
It is absolutely the case that information security principles, like those to be found in ISO27001, can inform some of these, specifically: separation, hiding, enforcement and compliance demonstration.
Understanding the intersections
As between the GPDR (representing data protection), and ISO27001 (representing information security), there are clear intersections. It is these intersections where data protection and information security must collaborate and engage:
A word of advice
Practitioners should not fall into the trap of running a data protection programme as principally an information security programme, or vice versa. This runs the risk of notproperly identifying the risks or managing them according to the standards required. And don’t assume that just because your adviser is an expert in one of the disciplines, they properly understand and can advise in the other
