What is data protection?
Data protection is a catch-all term for all security measures and safeguards that protect your own – and your clients’ – data.
All businesses in the EU are obligated under GDPR (General Data Protection Regulation) to protect their customers’, employees’ and other partners’ data – including their personal data. This applies to both internal (people in the organization) and external (for example, hackers) parties.
It’s up to the business itself to implement sufficient safety measures that protect data. These safeguards are usually categorized as either:
- Technical security measures or precautions
- Organizational security measures or precautions
The appropriate degree or extent of such measures for your business is up to you. This requires, among other things, that you make a Data Protection Impact Assessment (DPIA) and a consequence analysis of your data protection. You can find a template for a Data Protection Impact Assessment (DPIA) on GDPR.EU.
Furthermore, it’s important that you can document that you’ve installed or implemented the necessary measures, and that you subsequently and regularly evaluate whether they’re sufficient in order to protect the personal information you process.
There are a number of internationally recognized standards for data protection, such as:
- ISO 29151
- ISO 29134
- ISO 27001
They can be read in full on the International Organization for Standards’ website.
As a data manager and as a data processor it’s important that, even if you’re following the standards and guidelines, this is not synonymous with complying with GDPR. For that reason it’s important that you have a systematic, professional, and structured approach to the job. If you process sensitive personal data (‘special category of personal data’) it can be necessary to add-on or expand with subsequent protection measures.
Technical data protection
Technical data protection and safeguards are all forms of security measures that rely on digital tools and IT infrastructure. It exists predominantly on computers and servers.
This could, for example, be:
- Firewalls
- Passwords
- 2-factor authentication
- Encryption
- Logging of data handling
- Different administrative roles
- Storing data in levels (so a breach doesn’t give access to all data)
- Anti-virus
- Backup
Organizational data protection
Organizational data protection and safeguards are the type of data protection that involves people and processes. Data is secured by training employees and following guidelines that prohibit unplanned error or intentional breaches of personal data.
This term applies to:
- Procedures for data processing
- Clear distribution of roles and access
- Security courses
- Education of employees
- Risk- and consequence assessments
- Action plans for breaches of personal data