What is Data Protection?
Information systems have become indispensable nowadays as they allow people and organizations to process large volumes of data they deal with in both their business and private lives.
You can share your personal or corporate data with a third party almost without knowing it, simply by making a phone call, using your smartphone or working over the Internet.
Sharing personal or corporate information can be useful and sometimes it is imperative for everyday life and communication in the modern world. However, it entails certain risks.
Personal data includes any information relating to a particular person or business. It is increasingly difficult for people and organizations to maintain control of their information online, where huge amounts of data can travel around the world in an instant. This is where data protection comes in.
Data protection is a set of fundamental practices, techniques and principles used to safeguard and maintain control of your information. In a nutshell, you should be able to decide what data you want to share, with whom, for how long and for what purpose someone can access it, modify it, etc.
Governments are particularly invested in keeping their data safe. As citizens and government agencies around the world are facing more attacks than ever, countries must take measures to protect data and privacy.
The main reasons why governments need to develop a comprehensive data protection framework are as follows:
- The standards that exist today need to be updated. Ever since the Internet came into our lives, people have been sharing more and more personal information online. Many countries have useful data protection regulations in place, but they are not always in line with the present day challenges of the constantly connected world.
- Companies’ internal guidelines fail to provide adequate data security. Various companies have been trying relentlessly to regulate privacy and protect their data by implementing their own guidelines rather than using a mandatory regulatory framework. These guidelines, often rather flexible, have not been effective in protecting the rights of users.
Data Protection in Latin America
People in virtually every country in the world are currently aware of what constitutes personal data and what level of protection it requires. Data by itself does not need any protection. However, when it is linked to a person, it is no longer the data that that needs to be protected, but rather the person who owns it. Therefore, the importance of data privacy cannot be denied.
The need to create an up-to-date data protection regulatory framework is becoming increasingly evident in Latin America. Many countries in the region have already begun working on this:
Mexico: The constitutional reform of 2014 transformed personal data protection at the national level. An attempt was made to create a legal framework that would establish the minimum requirements for regulation and protection of personal data of individuals and federal and local government agencies.
To this end, the Federal Law on Protection of Personal Data Held by Individuals was published in 2010, followed by the General Law on Protection of Personal Data Held by Public Bodies in 2017.
Uruguay: The Personal Data Protection and “Habeas Data” Act was put in place in 2008. This regulation states that “the right to protection of personal data is an inherent human right”, therefore, any citizen can take legal action to find out what information about his or her person is held in a database.
Argentina: Personal Data Protection Act 25.326 was adopted in 2000. In addition, the National Directorate for Personal Data Protection was created to supervise effective protection of personal data stored in archives, registries, databases, or other technical means of data processing, both public and private.
Colombia: In 2012, the Congress enacted the Statutory Law on Personal Data Protection aiming to guarantee the fundamental right to personal data protection and regulate data processing activities of both public authorities and private sector companies. Its provisions are binding.
Thus, it is crucial that the region adopt regulations or policies in the field of data protection that are in line with the good practices already existing in other countries.
International Data Protection Standards
Information security management, a process that defines sound policies, best practices, as well as hardware and software components that must be implemented to secure data, can be approached in different ways. However, an important part of this process has been covered by international standards and national regulations of various organizations.
Knowing and implementing the security standards of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) is essential to guarantee the quality and security of activities of companies and organizations across the globe.
The ISO/IEC 27000 family of standards is a set of information security guidelines (already published or under development) that outline the requirements for information security management.
They contain recommended best practices that can be used by any organization, public or private, large or small, to develop, implement and maintain an Information Security Management System (ISMS).
It is essential to know and implement the ISO/IEC 27000 series of information security standards to guarantee the quality and security of activities of companies and organizations across the globe. These standards include:
- ISO/IEC 27000: The vocabulary used in all the ISMS standards. It is currently under development.
- ISO/IEC 27001: Certification required for organizations. Published in October 2005, this international standard is the most important one in the series. It specifies the requirements for implementing an ISMS, risk management, and continuous improvement.
- ISO/IEC 27002: Formerly BS 7799 Part 1 and ISO/IEC 17799, it is a code of practice for information security management. This standard was published in July 2005 as ISO 17799:2005 and subsequently renumbered ISO/IEC 27002:2005 in July 2007.
- ISO/IEC 27003: This standard provides guidance on implementation of an ISMS in accordance with ISO/IEC 27001. Published in February 2010, it is currently not certifiable.
- ISO/IEC 27004: Metrics for evaluating an information security management system. Published in December 2009, this standard establishes who, when and how should perform information security measurements.
- ISO/IEC 27005: This standard focuses solely on information security risk management. It supports the risk management process described in ISO/IEC 27001 and provides guidelines on the methods and techniques used to assess information security risks. This document, published in June 2008, is closely related to the current version of BS 7799 Part 3.
- ISO/IEC 27006: This standard provides guidance on the accreditation of bodies that certify information security management systems. It establishes requirements for ISMS certification.
- ISO/IEC 27007: Guidelines for ISMS auditing, currently under development.
It should be noted that the ISO/IEC 27000 series can be traced back to BS 7799, a British information security standard the first two parts of which were published in 1995 and 1998.
BS 7799-1 was a code of practice for information security management (not certifiable), whereas BS 7799-2 provided a specification for information security management systems (certifiable). BS 7799-1 evolved into ISO 17799 and ISO 27002, while BS 7799-2 became ISO 27001.
Importance of Information Security
Governments, companies and people alike are beginning to realize the need to protect their private information. This is where ISO/IEC 27000-certified best practices can be useful. Implementing such practices can benefit a company in the following ways:
- For the company environment: An important commitment to information security is made by implementing various records and control measures. It means that the company can demonstrate all the efforts it took to guarantee information security within the organization.
- For regulatory compliance: It can help the company demonstrate that it complies with the regulations applicable in its region.
- For risk management: The company knows perfectly well what information systems they use, what problems they face, and what security measures they apply.
- For business: It builds customer confidence and trust, because in a society, the lack of customer trust could affect the company’s sales, the quality and usability of its products.
- For finance: Companies must cut the costs of mitigating cybersecurity incidents.
- For people: It creates a personal culture that promotes correct handling of information, adequate application of security measures and establishes the employees’ and the company’s roles in relation to data protection.
Successful companies apply the best practices recommended by ISO/IEC 27000 to stay ahead of the competition. If you want to establish good international business relationships, certification is vital in order to demonstrate your commitment to ensuring the highest level of data security.