With the advent of rights and duties regarding privacy and its maintenance, for both individuals and companies, it is necessary to establish strategies that link Personal Data Protection and Information Security. 

In Brazil, privacy issues were addressed by legal instruments such as the Constitution of the Republic, the Consumer Protection Code, the Access to Information Law, the Carolina Dieckmann Law, and the Marco Civil da Internet (Brazilian Internet Bill of Rights). In 2018, the General Data Protection Law – LGPD – was enacted and came into force in 2021. In other words, the protection of personal data and the privacy of data subjects are major concerns, and consequently, the limits, regulation, and access to and misuse of personal data have been the subject of much debate and initiatives.

In parallel, the discipline of Information Security has evolved as information, as a strategic asset, intensifies in value. In this evolutionary path, considering the possibilities of information dissemination through its predominantly physical de-identification, the perspective of... cyber It has been incorporated into the principles of information security – since threats to the secure environment can materialize in different ways. In practice, technological artifacts such as [list of artifacts would go here] are incorporated into the environment. firewalls, antivirus, monitoring through data loss prevention policies (Data Loss Prevention – DLP), encryption, password vaults, physical and logical access restrictions, among others. 

It's worth emphasizing that the disciplines of Personal Data Protection and Information Security are intrinsically connected. They share the common goal of protecting (keeping information safe from internal or external threats to the organization), and they utilize similar protection techniques (such as encryption, firewalls and access controls to maintain a secure environment) and, ultimately, when violated, result in significant impacts (ranging from reputational damage to financial penalties). 

However, although connected, they are not the same. At the same time, they present significant differences in some common areas: 

i) Focus of protection – IS: focuses on protecting all of the organization's information, regardless of whether it is personal data or not / PD: focuses exclusively on information that can identify the holders of personal data; 

ii) Regulation – IS: follows a set of industry best practices and standards; there is not always a specific law / PD: rules defined by laws; and

iii) Principles and objectives – Information Security (IS): based on maintaining the confidentiality, integrity, availability, and authenticity of information / Data Protection (PD): prioritizes principles such as purpose, transparency, and the right of individuals to access, correct, or delete their data. 

All the elements presented here converge on the intersection of governance and accountability. From the perspective of the LGPD (Brazilian General Data Protection Law), Article 6, concerning the principles for personal data processing activities, emphasizes accountability and reporting. From the perspective of information security governance, the maintenance, updating, and monitoring of the environment through organizational controls, personnel controls, physical controls, and technological controls are highlighted. And what about risks? It's one mitigating the risk of the other, all the time. But that's a topic for another discussion…