Data Protection, Data Privacy, Information Security, Cybersecurity, Risk Management, Software Architecture.

All these terms are well known and established and everyone know how to utilize them. Hm, are they?

When it comes to the development of a new software product, they will often all be thrown together. Miscommunication in this area, however, might in the worst case even spoil your market launch and product success.

Data Protection, Data Privacy, Information Security, Cybersecurity – and how all these terms relate to each other and to software product design. #

Clarification of terms #

All these terms are well known and established. However, when it comes to the development of a new software product, they will often all be thrown together. Miscommunication in this area, however, might in the worst case even spoil your market launch and product success.

Data: Privacy or Protection? #

In English-speaking countries, «Data Privacy»is more or less a synonym for «Data Protection». The first («privacy») describes very nicely the goal behind the latter ( «protection») – of course data must not be protected for its own sake.

In the German-speaking world, on the other hand, the term «Datenschutz» is often used, which is more aimed at the actual and administrative tasks that aim to harvest «Data Privacy»as a result.

Even worse, «Data Protection»has in some (German) countries speaking countries often taken on a life of its own, so that bureaucratic measures are demanded for their own sake, without improving data privacy in any way.

Data or Information Security? #

To ensure «Data Privacy», you need «Information Security», which focuses on the undisturbed use and utilization of information as a valuable resource on your terms. Since the first is built on the latter, you won’t get far with «Data Privacy» without «Information Security». So «Data Privacy»is actually the goal of data protection and includes all the measures to achieve it.

For that, you pretty much also need «IT Security", which includes the associated technical hardware and software as an IT system that is properly set up and maintained. Both can be grouped under the umbrella term «Cybersecurity».

Challenges for DPOs and CISO’s #

What makes things challenging is that «Data Privacy»Regulations raise non-functional requirements, which can technically be implemented in various ways. They might even not require technical implementation because they can be met through organizational measures.

You as Data Privacy Officer and/or as Information Security Officer  have to be aware of this, because when you speak with developers they will focus on technical measures but when you speak with legal they might ask for administrative action.

A communication method to integrate this is Risk Management.

Why do I need Risk Management? #

What somehow unites all these terms – and others at that – is the concept of Risk Management. Risk Management appears both in data protection, e.g. in the General Data Protection Regulation as «Data Protection Impact Assessment», and in «Information Security» as risk assessment, e.g. in the ISO/IEC 27001 standard for information security.

The idea behind Risk Management is that you should know which resources are important to you and how they are threatened. Only then you can define efficiently appropriate measures. In fact, not you but your organization should know about the resources and threads.

That said we learn that Risk Management is in fact a communication measure to create and share a common understanding about what you do and what is of importance.

When doing risk management you learn that there is often more than one way to reach the goal.

How to govern Software Architecture Decisions #

Especially in software development, where the resulting software product is virtual, you often only see at the end what you have unfortunately overlooked in terms of data protection and information security in the first attempt.

A robust and comprehensible software architecture is not sufficient on its own, but – as in the construction of buildings – it is a secure and sustainable basis for achieving the desired goals in «Data Privacy»  and «Information Security».

Even if your are fully committed to the Agile Manifesto and value communication higher than documentation: With the help of Architecture Decision Records, you can also easily and painlessly document your internally conducted decisions and discussions you require to reach your goals in «Information Security» and «Data Privacy» – and lauch a secure software product in time. Highly recommended!