Data protection VS cyber security
I am sure that when I tell people I am a data protection specialist, 95% of them assume I spend my days looking at code filled screens, neutralising cyber-attacks launched by people seeking world domination via the dark web. Well I don’t because cyber security and data protection are not the same thing. But they are complimentary – two sides of the same coin so to speak! So what are differences?
To start with data protection, in of itself, does very little to protect data because that is the responsibility of whoever is processing it – the term ‘data protection’ is actually a damaging misnomer. Instead, it is represented by set of principles with some complimentary rules, written into law, to be instigated by any organisation processing personal data. These laws expect processing to be done in a controlled way in support of pre-defined purposes, whilst upholding the rights of those people whose very data is being processed. They are not about blocking the flow of data, quite the opposite in fact.
When it comes to security of processing, the UK General Data Protection Regulation is not overly prescriptive. The relevant principle requires organisations to apply ‘appropriate technical or organisational measures’. This means it is left to the organisation to determine how much effort is expended in this regard, mostly based on perceived risk and resources. Ironically, they will only find out if their efforts were enough after the event!
Cyber security, on the other hand, is solutions driven to stop bad things from happening to data. It is often perceived to be expensive hardware flashing away in the corner or a suite of elaborate software tools embedded in your IT system. Clearly these have their place, but it is not the whole story. Such expenditure is wasted if systems are not set up properly, or staff don’t understand how to use them or, worse still, they are so cumbersome that people find work arounds!
An essential part of cyber security is about influencing people’s behaviour. This is governed by their awareness of the threats and the procedures to counter them. Good training makes for better first line defence which can be backed up by technical solutions as appropriate. In other words, it is a mixed bag of ‘soft’ and ‘hard’ measures commensurate with risk. Here the cross-over between cyber security and data protection, is self-evident.
I should reiterate that a data protection specialist is not the same animal as a cyber security guru, and rarely will you find someone that can boast expertise in both disciplines. That said, I am confident in saying that any organisation needs a bit of both. This is because a resilient and responsible privacy framework is one that fulfils the organisation’s legal obligations, includes training, mature policies, evidence of effective procedures as well as the proportionate use of security related technology. In short, a proportionate application of both sides of the same coin to fit the bill.
Phil Brown, Data Protection Specialist
CJ International Services Ltd