Data protection and information security as two sides of the same coin.

Data protection is not possible without good information security. The hinge on both sides of the coin is the Technical Organisational Measures (TOM). These deposit in both as Privacy by Design and Privacy by Default. Other parallels in both spheres are risks, storage, and governance. Risks are handeled as a part of risk management of information security and as a part of data protection od data protection impact assessment (DIA), information is subject to retention periods. However, if information is also personal data, it is subject to deletion periods - together they form a mostly irresolvable contradiction.

Both sides must introduce minimum governance for their treatment: Control function (IPM or DPO), prioritised treatment by management, sufficient resources in terms of staff, technology and time. It is obvious to organise both topics in management systems: Information Security Management System (ISMS) and Data Protection Management System (DSMS). An ISMS should be set up according to the ISO 27001 standard, a DSMS precisely not according to the ISO 27701 standard. For data protection, the straightforward approach according to the GDPR is recommended. Both spheres remain in motion and offer space for new surprising solutions.