The importance of data protection | General Data Protection Regulation

2023/ 23/05

Data protection in the information society is an issue of high public interest. With the ever-increasing flow of digital data and technological advances, it is essential that we protect our personal data and privacy. The following is a clear explanation of the importance and basic principles of data protection.

Data protection is the protection of the right to privacy, security and protection of personal data. It includes measures aimed at ensuring that personal data are collected, stored, processed and transmitted in a secure and lawful manner. Data protection seeks to prevent unauthorised access, use, manipulation or disclosure of individuals' personal data. The scope of data protection may include individuals, companies, government bodies and other organisations that process personal data. It includes not only legal and regulatory aspects, but also ethical and trust-building aspects. Its importance is underlined by the growing digital society and the proliferation of different forms and uses of data.

Data protection: processing of personal data | Data protection principles

It has two fundamental aspects: the protection of individuals' rights and the security of personal data. Individuals have the right to control their own data and decide with whom they share it. And security of personal data means taking all necessary measures to ensure that data does not fall into unauthorized hands or is not used for unauthorized purposes.

Data protection principles:

  1. Minimum data quantity principle
  2. The principle of transparency
  3. The principle of data security
  4. Responsibility of the controller and the principle of user consent

One of the fundamental principles of data protection is the principle of data minimisation. This means that we only collect and store the data that is really necessary for the purpose for which it is collected. The data collected will be stored only for as long as necessary and used only for the purpose for which it was collected. Another principle is the principle of data accuracy. Personal data must be accurate and up-to-date. Individuals have the right to access their own data and to request its correction or deletion if necessary.

The principle of transparency is a key principle. This means that the processes by which data is collected, stored and used must be communicated in a public and understandable way. Individuals have the right to know what data is being collected about them, for what purposes and with whom it is being shared.

The principles of data protection also include the principle of data security, which includes the protection of data against unauthorised access, manipulation and loss. Data security requires strict technical and organisational measures to be taken, such as the implementation of firewalls, encryption and access restrictions.

Beyond the basic principles, there are other important aspects, such as the responsibility of the controller and the principle of user consent. The controller must ensure that data are kept secure and handled appropriately. Users have the right to give or withdraw their consent to the collection and use of data.

General Data Protection Regulation, or GDPR

Other factors related to data protection include data protection legislation and regulations, such as the General Data Protection Regulation (GDPR) introduced by the European Union, which regulates data protection requirements, provides for the production of European privacy notices and the rights of individuals with regard to data processing.

The importance of data protection in a digital world of technological development and data is becoming increasingly important. Individuals and organisations need to actively address data protection to protect their personal data and privacy. Basic principles of data protection and compliance with data protection legislation can contribute to secure and trustworthy data management and promote individuals' confidence in the digital environment.

Data protection is in everyone's interest, and it is our shared responsibility to pay attention to and respect the protection of personal data.

Data protection incident

A data breach is a situation where personal data is accidentally or unauthorisedly leaked, lost or accessed. This creates opportunities for misuse or unauthorised use of data and can have serious consequences for the data subjects. These can occur in a variety of ways, for example, hacking of a database or file system, which can lead to unauthorised access to the data stored in it. Or the loss or theft of a storage medium, leading to potentially sensitive information. Furthermore, a data breach can also be caused by the intentional or accidental deletion of data. The severity and impact of a data breach can vary widely. In the case of a minor incident, data may be accessible to unauthorised persons only on a limited or temporary basis. However, a major incident may result in permanent damage to the privacy, financial situation or even misuse of identity of the individuals concerned.

Data breaches require a swift and effective response. The organisations concerned have a duty to notify the individuals concerned of the incident and to do their utmost to minimise any negative impact. This may include helping affected individuals to recover data, investigating the incident, and reviewing and strengthening data protection measures.

The prevention and effective management of data breaches is a priority to maintain trust and confidence and protect the rights of individuals. Data protection measures, regular reviews and the use of equipment and software to protect personal data can all help to minimise data breaches and strengthen data security. It is important that individuals and organisations are constantly aware of the importance of data protection and take proactive steps to protect it.

Data breach management requires not only IT measures, but also appropriate response and communication. Affected organisations should immediately notify the data protection authorities and the individuals concerned of the incident, and openly and honestly inform them of the situation and the actions taken. And individuals need to know how they can take action to counter the effects of the incident, for example by taking steps to enforce their data protection rights.

The management and prevention of data breaches is a multifaceted task that both individuals and organisations should actively support. Ongoing training and information on data protection practices and risks, as well as the development of and compliance with data protection policies and procedures, can all contribute to effective data protection and the minimisation of incidents.

Various privacy and security standards and laws

The following are different privacy and security standards and laws in different industries and jurisdictions:

  • HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) in the United States sets out rules and requirements for protecting health information.
  • PCI-DSS: Standards developed by the Payment Card Industry Data Security Standard Council (PCI-DSS) for business organisations that handle or process credit card data, setting out requirements for the security and protection of credit card data.
  • ISO 27001: ISO (International Organization for Standardization) standard for the design and implementation of security management systems (ISMS) to ensure the security of confidential data and information.
  • SOX: The US Sarbanes-Oxley Act is a piece of legislation repealed in the United States that sets out requirements for the accuracy of corporate governance and financial reporting and the retention of data and information.
  • DMCA: The Digital Millennium Copyright Act is a U.S. law that governs the protection of online copyright and the crackdown on illegal content.
  • FISMA: The Federal Information Security Management Act is the U.S. privacy law that governs the information security requirements and practices of government organizations and agencies.
  • GDPR: The European Union's General Data Protection Regulation is an EU law that sets out requirements for the protection of individuals' personal data in the European Economic Area. It became mandatory five years ago, on 25 May 2018.The European Union's General Data Protection Regulation (GDPR), the world's most powerful piece of data protection legislation, became mandatory.
  • DPA: Short for Data Protection Act. Depending on the jurisdiction, different countries and regions have data protection laws that regulate the processing, storage and protection of data. The purpose of data protection laws is to protect individuals' personal data, ensure their right to their data, and define the responsibilities of data controllers and processors. The term DPA is used more broadly and can refer to data protection laws in different countries or jurisdictions. These laws set out in detail the principles of data protection, the rights of individuals, the responsibilities of controllers and processors, and the duties and powers of data protection authorities. DPAs may take different forms depending on the specific laws of a jurisdiction.

It is important to note that the terms listed do not belong to a single category or group. Each term represents different legislation or standards that focus on different areas of data protection.

The National Authority for Data Protection and Freedom of Information and data management

The National Authority for Data Protection and Freedom of Information celebrated its 10th anniversary in 2022. Taking stock of the experience of the past decade, the NDIHR has been a key contributor to the enforcement of data protection rights, with powers of sanction and authority, in cooperation with the countries of the European Economic Area. In line with the objectives of previous years, the Authority has continued to focus its modernisation efforts on customer-oriented and efficient task performance and its continuous improvement and monitoring. In order to successfully achieve the tasks ahead, it continuously monitors its own operations, examining the achievement of its objectives in terms of the problems encountered and the prevention of future shortcomings.