Data protection vs. data security

Data protection and data security are closely linked.

GDPR has focused everyone’s attention on data protection. But often, it can be difficult to understand the difference between data security and data protection.

?? Data protection is defined as “legal control over access to and use of data.” Achieving it takes a combination of administrative and technical measures.

?? Data security is the process of securing data so that only authorised people can access or modify it. It can be seen as one key element in achieving data protection.

Data protection

Data protection takes a combination of administrative and technical measures. Administrative measures include legal aspects (privacy policies, terms and conditions, etc.).

One of the most important aspects of GDPR is the legal basis for processing a subject’s data.?

In many cases, the basis will be “informed consent,” which can be withdrawn at any time.?

Rights of data subjects

GDPR grants eight fundamental rights.

1. Right to be informed: Ensure your users have been told what personal data you are collecting and how you will use it (how it will be processed). This includes using their data for automated decision-making or profiling.
2. Right of access: Give users control over whether their personal data is being processed, and, if requested, provide a full copy of all their data within a reasonable time. This must include additional information relating to how the data has been processed.
3. Right to rectification: If a user requests rectification, you must update/correct the data you hold about them without undue delay.
4. Right to erasure (right to be forgotten): When a user asks, you must delete all the data you hold on them without undue delay. This can be an issue if you are storing backups.
5. Right to restrict processing: In certain circumstances, such as while awaiting a decision relating to rectification or erasure, a user can ask you to “quarantine” their data and no longer process it.
6. Right to data portability: When asked, you must provide the user with a full copy of all their data in a structured, commonly used, and machine-readable format such as JSON.
7. Right to object: Where you are processing data on the basis of public interest or official authority vested in you or your legitimate interests, the user has a right to object to this which you must consider.?
8. Rights in relation to automated decision-making and profiling: A user may deny you permission to make decisions solely on the basis of automatic processing or profiling which has any legal effects or affects them significantly.

Technical requirements

Many of these rights, such as the right to erasure and the right to data portability, require technical measures to implement them. GDPR also has strict rules regarding breach notification (informing users and data protection authorities as soon as you suspect a data breach). Following any reported breach, the DPA has a right to inspect all your systems and will want to see detailed logs relating to data access, consent, etc.

GDPR is careful to avoid being over-prescriptive about how you should protect personal data. This is for two reasons. Firstly, not all businesses have equal resources and may store data differently. Secondly, data security is an ever-evolving field, so if GDPR mandated a given approach, it would quickly be outdated. NB, this is in stark contrast to HIPAA, which makes very precise recommendations relating to data security.

Data Security

There are three main forms of data security. Firstly, you need to be able to authenticate users and check what data they are allowed to access. Secondly, you need to actually secure that data, typically using some form of encryption. Thirdly, you need to protect your network, usually with a firewall.

AAA - Authentication, Authorisation, and Accounting - is used to control who has access to data, what they are allowed to do with that data, and keeping records of every access/change.

Encryption involves securing your data with a cryptographic algorithm and a key. Data should be encrypted at rest (storage) and in flight (e.g., when you transfer it from the user's device to the backend).

Firewalls help protect against network threats such as unauthorised access, ransomware, and viruses.

However, several other techniques can help you secure your data. One of the best-known is pseudonymization. This involves storing the user IDs separately from the actual data.

Want to know more?

I really hope you enjoyed this content, and I’d love to hear your thoughts in the comments!?

If you want to know more,?go to our blog, contact us, or visit our website?www.chino.io

See you soon!

Jovan Stevovic?- CEO at Chino.io

Chino.io, your trusted compliance partner

The one-stop shop for solving all privacy and security compliance aspects.

As a partner of our clients, we combine regulatory and technical expertise with a modular IT platform that allows digital applications to eliminate compliance risks and save costs and time.

Chino.io?makes compliant-by-design innovation happen faster, combining legal know-how and data security technology for innovators.

To learn more, book a call with our experts.

#compliance #gdpr #dataprotection #datasecurity