Data protection and IT security according to ISO 27001

IT security and data protection are relevant topics in the digital age but often drive medium-sized and large companies to despair. Legislators are increasingly trying to protect citizens and consumers on a national and international level – for example, through rules on the processing of personal data (GDPR). 

However, it is precisely such legal regulations that contain many terms that matter in practice. After all, serious obligations for companies arise from the GDPR and other laws. 

For people unfamiliar with the subject, correctly interpreting data protection and IT security laws presents a major challenge. However, the consequences of inadequate data protection are not only problematic internally but can also entail government sanctions.

But what exactly is meant by data protection and IT security? And what are the obligations for companies? Can ISO 27001 certification help with compliance with legal requirements? – Read more about this in this article.

Do you need individual support on this topic? Our team comprises experienced data protection law, IT, and security experts. We would be happy to support you in implementing data protection regulations. Contact us directly for a no-obligation initial consultation.

The most important facts in brief

• With the introduction of the GDPR, companies are required to develop a data protection concept and take measures to protect personal data.
• Companies must meet operational requirements and ensure information security internally. Linking data protection and information security can seem complicated, but it also holds some advantages for companies.
• Certification in the context of the GDPR, such as ISO 27701, can help to link data protection and information security and intertwine them in a common management system.

How do data protection and information security differ?

At first, information security and data protection sound very synonymous. You might think the two terms describe the same thing. In addition, other words such as data security or IT security can confuse. What is meant by which term, and how do I use them correctly? 

Since we are always discussing the security of processing personal data in the company, the terms naturally overlap, sometimes more, sometimes less. Nevertheless, various terms take on different tasks and positions in companies.

Due to the sometimes significant overlaps, exact definitions and delimitations are impossible. It often depends on the author and context on how the different terms are to be interpreted. Of course, this does not make it any easier for consumers or laypersons.

To provide an overview and understand the fundamental differences, let’s explain the terms:

Data privacy

Data protection is the protection of every person’s privacy. In Western countries, especially the DACH region, everyone has the right to informational self-determination. This guarantees that individuals can determine how their data is used.

At the same time, people should be protected from data misuse. Therefore, data protection regulations such as the GDPR govern the handling of personal data and the obligation to inform each person about the use of their data.

Data security

Data security is also about protecting data, but this term is applied in a more general way. It is not just about personal data but any kind of data worth protecting. It includes analog and digital data, for example, secret information about a company or its products.

Data security should protect against manipulation, theft, loss, or even simple knowledge. In contrast to data protection, the processing and collection of data do not necessarily play a role but rather the question of how data can generally be protected from unauthorized access.

Information security

In particular, ISO standards 27001 and 27701 talk about information security, i.e., the protection of information of all kinds. Here, too, it is irrelevant whether the information is digital or analog, with or without personal reference. Data security can be considered part of information security, as the latter is more comprehensive.

IT security

Like data security, IT security can be seen as part of information security and describes electronically stored information and IT systems. In addition to the technical processing of information, this also includes the operational security of IT systems.

What obligations do companies have concerning data protection?

Data protection requirements are regulated in the EU countries, particularly in the GDPR (General Data Protection Regulation). In addition, there is the German Federal Data Protection Act (BDSG) in Germany.

The GDPR gives the individual member states a certain amount of leeway, which is why the BDSG has been adapted and supplemented. For companies, however, the GDPR is still more relevant.

A structured approach is prescribed:

• To be able to take data protection measures, companies must always formulate protection requirements and goals and use them to develop an integrated management system.
• Risk analyses are used to define protection goals and determine which hazards exist and where the need for protection is particularly high. Appropriate technical and organizational measures are then developed to achieve the protection goals.
• Protection goals are always the target state and are not only set by companies themselves but can also be found in standards.

Concerning these defined protection goals, companies must take measures to achieve these goals. The objectives relating to data protection and information security must be included in this process.

In plain language:  In practice, it is usually impossible to clearly separate individual objectives and the actions to achieve them. All protection goals and their actions are interrelated and must be considered as a whole.

The GDPR stipulates protection goals in particular:

• Confidentiality of personal data
• Availability of data (data can be accessed securely)
• Integrity (ensuring the authenticity of the data)
• The resilience of systems and services
• The fastest possible restoration of access to the data in the event of incidents
• Intervention is possible (data subjects can withdraw their consent to data processing at any time)
• Regular review, evaluation, and improvement of organizational measures
• Instructing employees to process data only within the specified scope and to keep it confidential
• Purpose limitation of data processing (data may only be used for specified and legitimate purposes that have been clearly defined in advance)
• Data minimization
• Storage limitation (data may only be stored for the required time, after which deletion is needed)
• Accountability of the responsible parties (the company has the responsibility and must prove compliance with the principles in case of doubt)

Do you have open questions about data protection and certification? Our legally and technically trained staff will advise you comprehensively on all questions of data protection law. Feel free to contact us at any time.

How can companies determine their protection goals?

A security or risk management cycle is the basis of all those security measures. This circle designates various stages that are passed through again and again in the pursuit of protection goals. The following steps count in this recurring cycle of risk mitigation:

1. Identification

Companies must identify threats to specific areas and operations and where risks may be located here.

It is challenging to identify all risk factors and error-prone processes and to name every single point. It is, therefore, not enough to carry out such an analysis once; it is a continuous process – hence the cycle.

2. Evaluation

Each risk must be assessed according to how great the risk is, i.e., how probable it is that a damaging event will occur to data protection for companies. In addition to the probability, it is also necessary to consider how significant the damage would be for the person concerned and the company.

3. Controlling

Controlling means minimizing the risk. In other words, suitable measures should be taken to eliminate or keep the risk as small as possible. These can be specific safety procedures, task assignments, employee work instructions, or restructuring. 

The suitability of the measures also depends on how the risk was previously assessed. The actions taken should also be in this proportion.

4. Monitoring

Here, not only the risks but also the measures taken are monitored. The aim is to check whether the risks have been efficiently and effectively eliminated or minimized, or whether there is potential for improvement. If necessary, new threats may also become apparent during monitoring, which must then be fought again from point 1.

Is information security also data protection?

Information security is a kind of “data protection” for companies and their processes. Of course, companies have a legitimate interest in protecting their data, processes, and trade secrets. As with data protection, this requires a concept consisting of protection goals, risk analyses, and measures.

This concept is not intended to protect third parties and their data but the company’s data, mainly production and business processes. These are particularly vulnerable to intentional data theft or manipulation. But a company must also systematically avoid unintentional interference with its data.

The German Federal Office for Information Security (BSI) has developed what is known as IT baseline protection. This guideline contains standards and measures to guide companies in determining what protection needs exist and what actions must be taken.

IT baseline protection requires consideration and analysis of the entire flow of information, including all processes, applications, systems, etc. Every single system and process module must then be singled out and divided into separate work steps (so-called “layer model“).

Particularly in the case of complex work processes, this creates more clarity and makes it easier to find safety measures and risks. Subsequently, aspects with the same protection requirements can be easily identified and addressed in a bundled manner.

At the same time, overlaps and duplications are prevented, which minimizes effort and costs. Continuous improvement or updates can also be integrated more quickly since only the layer affected is addressed.

As with data protection, this requires a risk management cycle that filters, prioritizes, minimizes, and then monitors risks over the long term.

How are information security and data protection related?

As is already clear from the definitions, data protection is about protecting personal data on a day-to-day basis – in other words, protecting people and their self-determination rather than protecting the company.

Information security also covers this data, but the focus here is more on process-related data and technical processes. A link always arises when personal data passes through these processes, for example, to be edited or stored.

It is also important to mention that data minimization also means risk minimization. Of course, big data plays a significant role for companies. But not only regarding legislators’ data protection requirements but also in implementing information security, less data also means fewer risks. In this respect, data protection regularly also facilitates information security.

In addition, the legally defined protection goals create a context. Not only are the aspects of data protection in the company guaranteed by information security and IT security, but the mechanisms and obligations for companies are similar, if not identical.

Thus, many specifications are also made on how data protection is to be handled within information security: data subjects must, for example, be informed about the processing and the processes taking place via an information procedure.

In this respect, there are many ways to offer IT products, services, or similar, and provide more transparency to the affected parties, and comply with the legal requirements through certification, for example.

Employees form an essential interface between data privacy and information security since they manage corporate processes or even carry them out themselves and must keep an eye on corporate security and data privacy. It is, therefore, just as important to ensure the necessary awareness internally. Employees should be adequately trained on the threat of data protection incidents and their sanctions. They are part of the first line of defense.

Does data protection lead to greater information security?

It is particularly complex for companies to combine the two concepts of IT security and data protection into an efficient and effective overall concept. However, such a combination has many advantages:

• Many certifications are not linked to data protection but to IT security, which is why established standards and concrete measure models are widespread.
• On the other hand, the legislation grants much more freedom here and does not regulate too much. However, the legislator focuses on data protection, so there are strict regulations here. However, there is a lack of concrete specifications for implementation.
• Due to the sometimes far-reaching overlaps in data protection and information security, both can be based on the laws for data protection and the standards for information security so that both sides benefit and a consistent overall concept can be created. Data protection without information security can hardly function.

How does ISO certification helps to fulfill these obligations?

A recognized certification of data protection management, for example, through international standards such as ISO 27701 as an international standard, can help companies ensure that data protection regulations can be met.

While ISO 27701 is not entirely identical to the GDPR, it can be brought forward as a component for meeting legal obligations. In this regard, ISO 27701 extends the ISO 27001 certification and provides guidelines and implementation controls for properly handling personal data.

In the complex jungle of legal requirements surrounding data protection, it can be challenging to develop a data protection concept while maintaining close interaction with information security. Certification verifies that all requirements are met and ensures that a well-rounded overall concept is in place.

This makes it easier for companies to fulfill their legal and corporate obligations and assists in implementing measures and additional controls.

Although the primary objective of ISO 27701 is protecting personal data, it is nevertheless a good idea to take advantage of existing synergies. For example, ISO 27701 builds on the existing information security management system (ISMS), adds relevant data protection aspects to information security, and fits perfectly into the interface between data protection and information security.