Privacy and data security - What's the difference?

9/4/2015

Information Security

>

Privacy and data security - What's the difference?

What is the topic about Data protection? And what is the difference between data security? Are these simply different terms for the same topic? First of all: No, track data protection and data security different goals. The terms are certainly not so easy to tell apart and there is of course a certain intersection of the two topics — data protection cannot work without data security.

Data protection is concerned with the collection, processing and use of specific or identifiable personal data natural persons. It is supported by the Federal Data Protection Act BDSG regulated by law and should ensure that the People's personal rights is not negatively affected by the handling of your data. It is about informational self-determination. The Data Protection Act does not apply to legal entities applied. Data protection only applies to natural persons. It prohibits the unauthorized collection, storage or use of personal data — also known as “data secrecy.” According to §5 BDSG, companies are obliged to oblige their employees to this prohibition of unauthorised collection and use of data.

Personal data can be found almost everywhere

Personal data is found in companies of all sizes. Examples of personal data are:

  • Personal data (e.g. name, date of birth, address, telephone number, hair color...)
  • Employee data (e.g. level of education, job, skills, vacation, performance reviews...)
  • Bank details (e.g. account statements, loans, credit cards...)
  • Wage and salary data
  • health data
  • consumer behavior
  • ...

Data protection is not possible without an appropriate level of data protection. For example, §9 of the BDSG states that public and non-public bodies have certain technical and organizational measures (TOM) have to comply. For this purpose, the “8 Commandments for Data Protection” were defined in the annex to §9 BDSG.

  1. access control
    Description of measures to prevent unauthorised persons from accessing data processing systems that process or use personal data.
  2. access control
    Description of measures to prevent data processing systems from being used by unauthorised persons.
  3. access control
    Description of measures which ensure that persons authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, changed or removed without authorization during processing, use and after storage.
  4. Transfer control
    Description of measures to ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or during transport or storage on data carriers, and measures to ensure that it is possible to verify and identify where a transfer of personal data by data transfer facilities is intended.
  5. input control
    Description of measures to ensure that it is possible to check and determine retrospectively whether and by whom personal data has been entered, changed or removed from data processing systems.
  6. Order control
    Description of the guarantee or measures that personal data processed on behalf of the client will only be processed in accordance with the client's instructions.
  7. availability control
    Describe measures to ensure that personal data is protected against accidental destruction or loss.
  8. Separation control
    Description of measures to ensure that data collected for different purposes can be processed separately.

Organizational control is often also included. These are all measures which ensure that the internal organization meets data protection requirements. The implementation of measures to achieve an appropriate level of protection can be overwritten with data security. As you can see, a certain level of data security is required for data protection to work. Otherwise, no measures could be described for these eight or nine checkpoints.

Companies must also take measures and precautions to achieve data security. You should comply with this as much as possible. Even if you should not actually collect, process or use any personal data, you too will have to meet data security requirements. The following laws can be used to justify measures relating to data security; the list does not claim to be exhaustive:

  • company law, e.g. AktG or GmbHG
  • IDW PS 330 (checklist of auditors)
  • BGB Civil Code
  • GDPdU
  • KonTraG

Without data security, there is no data protection

All of these laws require data security measures. As you can see, data security must be in place, regardless of whether you process personal data or not. By collecting, processing and using personal data, you are also subject to the Federal Data Protection Act. This also entails a certain documentation requirement. The Data protection officer must, for example, the IT process directory lead. In addition, the technical and organizational measures already mentioned must be recorded, documented, evaluated and periodically reviewed. This must also be provided in writing. Finally, the competent data protection authority may request access to the list and the technical and organizational measures implemented at any time.

Last but not least, a note. Please do not confuse data security with data backup. Data backup is a technical measure for your data security. This can be included in the availability measures.

Would you like to find out more about data protection and documentation requirements? In our Data protection section You can find more blog articles.