Data protection and information security as two sides of the same coin.
Data protection is not possible without good information security. The hinge on both sides of the coin is the Technical Organisational Measures (TOM). These deposit in both as Privacy by Design and Privacy by Default. Other parallels in both spheres are risks, storage, and governance. Risks are handeled as a part of risk management of information security and as a part of data protection od data protection impact assessment (DIA), information is subject to retention periods. However, if information is also personal data, it is subject to deletion periods - together they form a mostly irresolvable contradiction.
Both sides must introduce minimum governance for their treatment: Control function (IPM or DPO), prioritised treatment by management, sufficient resources in terms of staff, technology and time. It is obvious to organise both topics in management systems: Information Security Management System (ISMS) and Data Protection Management System (DSMS). An ISMS should be set up according to the ISO 27001 standard, a DSMS precisely not according to the ISO 27701 standard. For data protection, the straightforward approach according to the GDPR is recommended. Both spheres remain in motion and offer space for new surprising solutions.
Liubov Khomutovskaya is a Legal Director at CORE. Her expertise focuses on drafting and negotiating IT contracts with German, European, and US partners. She has extensive experience in negotiating IT outsourcing contracts in various industries, including the banking sector and the media industry.
Muskaan Multani is a Transformation Fellow at CORE and has a background in
background in business law and strategic consulting. As a legal consultant and through various internships during her during her studies, she has already worked on various projects in the compliance accompanied. She is responsible for supporting project teams and clients with and clients in business-critical technology transformations.