What is "security"? - Understanding and applying legal security and technical security
The question of "How can we best protect ourselves?" is a concern for many companies. This encompasses both safeguarding their own trade secrets as well as ensuring compliance with the law.
Rarely is this achieved through a single measure. While confidentiality clauses can be signed, they are unlikely to deter criminals. Similarly, data protection notices on the website, while legally required, do not prevent hacker attacks. On the other hand, a technically secure server does not guarantee that parties, even if well-intentioned, won't disclose company secrets. Moreover, handling employee data correctly from a technical perspective (encryption, access restrictions) may still constitute a violation of the law if the wrong data is collected.
It is therefore evident that "security" must always be considered from at least two equally important perspectives. Legal security helps prevent general business errors, legal violations, and the associated fines. Technical security is necessary to protect against external threats and to enforce internal rules.
Legal security
Legal security refers to all protective measures that companies can take to legally secure themselves or their activities. This includes, for example, company documents such as contracts, non-disclosure agreements or workplace instructions, but also organisational measures, audits, service provider checks, and balancing of interests.
In the GDPR, there are some requirements that a company must fulfill to protect data subjects from an overly extensive processing of their data. If a company does not comply with these requirements, it risks warnings from the supervisory authorities, up to fines or claims for damages by data subjects.
The protection of personal data starts with the selection of which data to process. Without considering technical security yet, the company can already protect itself by collecting and using only data that is actually necessary.
In general, the security of data and trade secrets depends on all parties involved knowing their rights and obligations.
Technical security
Technical security refers to all the measures that the company implements to ensure the confidentiality, integrity and availability of data. In some cases, further protection goals are defined, which are more or less important depending on the context. However, we will focus on the basic protection goals for now.
Confidentiality is concerned with ensuring that people only receive information that has been released to them. For instance, data encryption prevents external third parties from easily gaining access to data.
Integrity aims to ensure that data is not altered in an unauthorised or unintentional way. When copying files, for example, it is possible to check whether the resulting file is exactly the same.
Availability is the constant usability of the data stock. Even in the event of a failure, it should be guaranteed that all necessary data can be used again within a short time by appropriate measures such as regular backups.
Conclusion
Both aspects of security work hand in hand. A firewall protects companies from external attacks, but not from visitors who see information on screens and take it outside. In this case, legal protection measures, such as non-disclosure agreements, can help instead. Legal measures will not work without technical security, and technical measures will not work without legal security.
In the further articles of the series "What is "security"?" we will take a closer look at selected examples of everyday corporate business from these two points of view - legal security and technical security.