As a law firm with a specific focus on personal data, we observe that companies have a tendency to confuse data protection with data security. While data security may be a part of data protection, these two concepts are very different.
The reason we are writing about the two concepts is because we believe that understanding the differences between the two will help organizations to develop a better level of awareness and compliance.
DATA SECURITY IS NOT DATA PROTECTION
As a law firm working on data protection compliance projects we had the chance to visit many companies in Turkey and our first observation is that most people confuse data protection with data security.
When we start a data protection compliance program, the first reaction we receive from the IT departments in most cases is that; the company has ISO 27001, completed all penetration tests successfully and has a very secure system. This reaction is a result of the confusion between data security and data protection.
WHAT IS DATA PROTECTION?
Data protection deals with personal data and is based on certain fundamental principles such as;
1. Personal data shall be processed fairly and lawfully,
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes,
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
As you can see the principles mentioned above cover only how data should be handled by real or legal persons (data controllers) and the data protection laws (including the law in Turkey) are based on these principles. Therefore, data protection is primarily a legal issue and data protection compliance audits mostly focus on the legal side with only some emphasis on the technical side.
WHAT IS DATA SECURITY?
Data Security is, on the other hand is the protection of databases and systems or in other words prevention of unwanted/non-authorized access to databases. Therefore data security is mainly a technical and a procedural issue.
Further, data security audits are different than data protection compliance audits as data security audits do not have a legal component whereas data protection compliance audits are mainly legal work.
In light of the above, we would like to point out that data security is not a substitute for data protection and having an ISO 27001 certificate or having concluded penetration tests do not remove your obligation to conduct a data protection compliance project.
