Data protection and information security: what’s the difference?

Data protection and information security: what’s the difference?

As the two terms ‘Data protection’ and ‘Information security’ are often used together, it can create confusion. The Data Protection Act — or ‘DPA’ for short, covers the protection of personal and sensitive personal data. We may not all be aware of the fact that the DPA makes specific reference to information security within its list of ‘The 8 Principles of Data Protection’, but we’ll get to this in a moment.

What are the principles of data protection?

If you read our previous blog ‘Why is data protection training important?’ you may recognise them, but just in case you need a re-cap, they are:

  1. Personal data shall be processed fairly and within the law.
  2. Personal data can only be held for specific and lawful purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data shall not be kept for longer than is necessary.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational security measures shall be taken against unauthorised access to data.
  8. Personal data must not be transferred to a country outside the European Union unless that country or territory has similar legislation to the Data Protection Act that protects data.

Principle seven

When put into practice, principle seven means you, as the company or organisation must have appropriate security in place to prevent the personal data you hold being deliberately or accidentally compromised. In particular, you will need to:

  • design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
  • be clear about who in your organisation is responsible for ensuring information security;
  • make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
  • be ready to respond to any breach of security swiftly and effectively.

So what are the key differences?

Data protection is about taking people’s personal data — think names, addresses, contact information, medical history, banking details, credit ratings and even employment records. It can also include — if necessary — sensitive personal data, such as someone’s political opinions. The way this data is collected, accessed, updated, stored and disposed of is all covered by Data Protection law.

Examples of data protection best practice in your organisation: In practical terms, we’re talking about the length of time you say you keep (and you actually do keep) information from your clients, employees or volunteers. Application forms, booking forms and basic contact details.

Information security (Infosec for short or otherwise known as cyber security) refers to the technical and operational measures that any organisation must take to ensure that the data they hold is safe and secure. Information security is about people, products, processes and all working aspects of a company or organisations. It’s about the way you store the information, and what happens if it gets lost or stolen.

Examples of Information Security in your organisation: This involves business practices like creating strong passwords, changing your password every 3 months, whether to encrypt your data or, actually, whether you’d pick up a flash drive from the floor and put into your computer to see what’s on it (don’t do this).

What happens when information security fails?

Malware, viruses, hacking and loss or damage can all affect and ultimately ruin a company. It’s been estimated that data loss is costing organisations an estimated $1.7 trillion dollars a year, and 60% of the organisations that experience severe data loss or damage cease trading and fold within a year.

Want to know more about data protection? Click the link below and sign up to flick learning’s subscription — it takes less than 35 seconds to sign up, and *spoiler alert* — we’ll be adding in a course on Information Security in the New Year — what are you waiting for?

For our free quickflick guide on data protection and cookies, and understanding your responsibilities — click here

A single golf clap? Or a long standing ovation?

By clapping more or less, you can signal to us which stories really stand out.