European Data Protection Supervisor
European Data Protection Supervisor

Information security

Information security

What you should know about information security

All organisations rely on the use of information in their daily work. For this reason, organisations need to ensure that their information assets i.e. any piece of data which has value to the organisation, such as an employee record, analysis reports, financial data, trade secrets, contracts, etc., are suitably protected.

This is a key objective within a specific field called Information Security. Information security refers to the ways and means to protect printed, electronic, or any other form of confidential, private and sensitive information or data from unauthorised access, use, misuse, disclosure, destruction, modification, or disruption. (1)

Information Security is a difficult task as most organisations are faced with an ever changing landscape affecting their operations: market development, advances in technology, discovery of new vulnerabilities, changing legal regime and so on.

Information Security Risk Management (ISRM) is the specific process that helps those responsible for Information Security to manage the uncertainties which might affect the security of their organisation's information over time and indicates how to best react to these uncertainties within the constraints of their work environment. ISRM includes an analysis of the risks faced by an organisation and defining appropriate security measures to tackle those risks.

(1) https://www.sans.org/information-security/   

What are the main data protection issues?

Data security – Information assets often include personal information (also called personal data) Security is one of the main enablers of data protection. To guarantee an adequate level of protection, organisations must implement a risk management process, which assesses the security risks of processing personal data. They must then implement security measures to deal with the identified risks. These measures may include organisational measures (e.g. policies, procedures etc.) or technical ones (e.g. the implementation of antivirus software, backup files etc.).

Accountability – Organisations need to ensure that their security controls remain effective in protecting data and mitigate existing threats over time. Regular monitoring which involves an analysis of the needs of an organisation, its processing operations and security tools is the most efficient way to keep an organisation's information security under control and fit for purpose. Such analysis helps organisations to invest in the most appropriate security tools and justify such investment.

When dealing with personal data, it is also necessary to consider the potential impact to the individuals concerned. For example, compromised security for medical data or criminal records may severely affect an individual and thus require appropriately strong measures to reduce the associated risks.

More Information

The EDPS has produced guidelines on this topic:

Guidance on Security Measures for Personal Data Processing - Article 22 of Regulation 45/2001 (please note that Regulation 45/2001 has been repealed by Regulation (EU) 2018/1725, which contains a revised Article 33 on Security of Processing)