Every data breach is a cybersecurity failure. Every cybersecurity failure is a data protection problem. Yet many organisations still treat these two disciplines as separate functions with separate teams and separate budgets. In an era of escalating cyber threats and tightening regulation, that separation is becoming increasingly costly

What Are Data Protection and Cybersecurity?

Data protection refers to the legal and regulatory frameworks that govern how personal data is collected, stored, used and shared. It is fundamentally about the right of individuals to know how their data is being used, to access it, correct it and in some circumstances demand its deletion. In the EU, the GDPR is the cornerstone of data protection law, establishing principles of lawfulness, fairness, transparency, purpose limitation and data minimisation that apply to any organisation handling the personal data of EU residents regardless of where that organisation is based. Cybersecurity is the practice of protecting networks, devices and data from unauthorised access, criminal use and digital attack. The UK’s National Cyber Security Centre describes cybersecurity as how individuals and organisations reduce the risk of cyberattacks, while the US Cybersecurity and Infrastructure Security Agency frames it as ensuring the confidentiality, integrity and availability of information.

Data protection and cybersecurity help to protect personal data and strengthen defences of digital ecosystems. Data protection and cybersecurity could be considered as a necessary duo for the protection of individuals and organisations. While this duo has the potential to protect digital ecosystems, there are factors to consider in achieving such goals.

The distinction between data protection and cybersecurity is key to designing the most appropriate approaches to apply to solve data and cybersecurity challenges. In the EU, data protection is a regulatory regime, providing rules and principles that regulate how data is created, collected, stored, used, and transmitted. Cybersecurity is how the risks of cyberattacks are reduced by individuals and organisations. America’s Cyber Defence Agency describes it as “the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.”

The Legal and Regulatory Landscape

As cybersecurity attracts more attention, critical issues regarding data privacy and data protection are raised. In the same vein, as data privacy and data protection gains more attention, concerns relating to cybersecurity are brought to the stage. The relationship between security and data protection is shown in modern data protection principles, which require security protection.

As an example, the OECD (Organisation for Economic Co-operation and Development) Security Safeguards Principle provides that,

“Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.”

Cybersecurity laws can help to improve data protection. As more organisations use greater amounts of consumer data, it becomes more important for robust cybersecurity and data protection programs to be implemented, which take into account not only laws and regulations, but also the changing technologies that affect operations. Improvements in awareness and understanding of technology, data protection requirements, and cybersecurity risks could help a lot to reduce risks for digital ecosystems.

Legal Frameworks

The legal landscape governing cybersecurity and data protection is fragmented but rapidly developing across jurisdictions.

Under Article 32 of the GDPR, organisations are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. This includes encryption, the ability to ensure ongoing confidentiality and integrity of systems, and a process for regularly testing and evaluating the effectiveness of security measures. A data breach resulting from inadequate cybersecurity is therefore not just a technical failure. It is a legal one, potentially triggering fines of up to €20 million or 4% of global annual turnover.

The EU’s Network and Information Security Directive 2, which became enforceable in October 2024, significantly expands the cybersecurity obligations of organisations operating critical infrastructure and essential services across the EU. It introduces stricter incident reporting requirements, supply chain security obligations and personal liability for senior management in the event of serious cybersecurity failures. For global businesses with EU operations, NIS2 represents one of the most significant new compliance burdens of recent years.

The UK government’s Cyber Essentials framework sets out baseline cybersecurity controls that organisations should implement to protect against the most common cyber threats. While not legally mandatory for all organisations, it is required for businesses seeking certain government contracts and is increasingly referenced as a standard of reasonable cybersecurity practice.

In the United States, the National Institute of Standards and Technology Cybersecurity Framework provides voluntary guidance for managing cybersecurity risk, widely adopted across industries. California’s Consumer Privacy Act meanwhile mirrors some GDPR principles, granting California residents rights over their personal data and imposing obligations on businesses that handle it. The US federal landscape remains fragmented without a single comprehensive national data protection law. This presents a gap that regulators and legislators continue to debate.

Evolving Regulatory Landscape

For global businesses, the convergence of data protection and cybersecurity regulation creates both complexity and opportunity. The relationship between data protection and cybersecurity will only deepen as digital infrastructure becomes more complex and cyber threats more sophisticated. Regulators across the world are moving toward frameworks that integrate understanding of the two fields.

Disclaimer: This publication is for educational and informational purposes only and does not constitute formal legal advice or create an attorney-client relationship