ABSTRACT
This article explores the convergence and divergence between data protection and data security. Thus, the two are fundamental yet often conflated concepts in digital governance. This paper distinguishes the two by analyzing their convergence in practice and examining the implications of how a breach in one affects the other. It concludes that a holistic approach integrating legal compliance with technical safeguards is indispensable for modern data governance.
INTRODUCTION
The imminent awareness of the use of personal data has raised concerns in data processing and technological reliance, and it has significantly amplified concerns regarding protecting and securing personal information. Data protection and security are frequently used interchangeably in regulatory and operational discourse. However, they possess distinct meanings and implications. Both aim to ensure the safe handling of data. However, they do so through different methods and viewpoints. This paper explains these differences and highlights their complementary roles in achieving full-bodied information governance.
CONCEPTUAL FRAMEWORK
Data Protection
Data protection concerns the legal and ethical dimensions of handling personal data. It encompasses the principles governing personal information collection, processing, storage, and sharing. Regulatory frameworks such as the General Data Protection Regulation (GDPR) in the European Union (European Parliament, 2016) and the Nigerian Data Protection Act 2023 (NDPA) emphasize individual rights, data minimization, purpose limitation, and informed consent. Data protection thus ensures that personal data is lawfully and fairly processed, reflecting the fundamental right to privacy. Data protection has two major players that manage data: the data controller and the data processor.
Data Security
Data security refers to the technical and organizational measures designed to protect data from unauthorized access, alteration, or destruction. It involves encryption, access controls, network security, and disaster recovery mechanisms. The goal is to preserve data's confidentiality, integrity, and availability (CIA). Data security does not, by itself, address whether the data being protected is lawfully obtained or processed.
Key Distinctions
|
Feature |
Data Protection |
Data Security |
|
Focus |
Legal rights and ethical processing |
Technical safeguards against unauthorized access or harm |
|
Legal Foundation |
Rooted in privacy laws and regulations |
Based on cybersecurity standards and risk management protocols |
|
Objective |
Ensuring lawful, fair, and transparent use of personal data |
Preventing unauthorized access, leakage, or tampering of data |
|
Tools Used |
Consent forms, privacy notices, data policies |
Firewalls, encryption, multi-factor authentication |
CONVERGENCE AND DIVERGENCE
Convergence
Data protection and data security cannot exist without the other, though they are distinct. A secure system for collecting data requires the support of adequate data security measures to prevent unauthorized access and data loss. Likewise, data security protocols must operate within legal and ethical data use boundaries. A secured system that processes data without consent still violates data protection laws.
For example, encryption of personal data enhances its confidentiality but must be paired with the lawful acquisition and use of that data. Therefore, both principles must function harmoniously to fulfil legal and operational obligations.
As a result of their intersection or convergence, here are situations where an occurrence in one led to or caused the other.
- Security Breach Leading to a Privacy Breach
A typical convergence scenario arises when poor technical safeguards lead to unauthorized access to personal data. For instance, a ransomware attack that results in the exposure of health records involves both a data security and data privacy breach. Here, technical failure causes a rights-based violation.
- Privacy Breach Facilitating a Security Breach
Also, a privacy breach may precede a security incident. If personal data such as credentials or contact information is misused due to improper handling, it can be weaponized in phishing or social engineering attacks that compromise broader systems.
Divergence
It should be noted that not all instances where a data privacy breach connote a breach or fault with the data security. In this section, we will be discussing different scenario whereby this may have occurred.
- Breach of Data Privacy without Data Security Failure
A privacy breach may occur without a breach of security measures. A breach of data privacy arises when personal data is lawfully accessed but unlawfully processed. For example, suppose an employee accesses customer data using authorized credentials and misuses it for personal purposes not in line with the essence for which the data was collected. In that case, this constitutes a data protection breach but not security.
- Breach of Data Security without Data Privacy Infringement
Not all security breaches result in or emanate to an imminent privacy breach. If an intruder gains access to anonymized or pseudonymized data that cannot be traced back to identifiable individuals, the incident may be classified strictly as a security breach. Note that violation of data subject rights did not occur unless the data is re-identifiable.
BENEFITS
Data Protection
- It upholds the constitutional and statutory rights of individuals.
- It enhances the corporate reputation and customer trust.
- It ensures regulatory compliance, thereby avoiding fines and litigation.
Data Security
- It prevents data breaches and cyberattacks.
- It maintains operational continuity.
- It protects organizational and customer assets from loss and corruption.
CONCLUSION
Data protection and data security may be distinct in scope and methodology but are intrinsically interconnected. Their divergence lies in focus on one legal and the other technical, yet their convergence is indispensable for ensuring trustworthy and compliant data handling. Therefore, Organizations must foster a culture that prioritizes legal compliance and technical fortification. The integrity of one without the other is an illusion; they can only form a sustainable and defensible data governance framework.
References
- European Parliament. (2016). Regulation (EU) 2016/679 (General Data Protection Regulation). Official Journal of the European Union.
- Nigeria Data Protection Act of Federal Republic Nigeria. (2023)
- Hadnagy, C. (2018). Social Engineering: The Science of Human Hacking. Wiley.
- Information Commissioner's Office (ICO). (2023). Data protection and employment practices.
- Kuner, C., Cate, F. H., Millard, C., & Svantesson, D. J. (2017). The international and comparative law dimensions of "data privacy". International Data Privacy Law, 7(1), 1–4.
- Pfleeger, C. P., & Pfleeger, S. L. (2012). Security in Computing (5th ed.). Prentice Hall.
- Solove, D. J., & Schwartz, P. M. (2020). Information Privacy Law (6th ed.). Aspen Publishers.
- Tikkinen-Piri, C., Rohunen, A., & Markkula, J. (2018). EU General Data Protection Regulation: Changes and implications for personal data collecting companies. Computer Law & Security Review, 34(1), 134–153.
https://www.linkedin.com/company/gresyndale-legal/
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
