Quiz Entry - updated: 2026.07.14
How can classic IT security goals (CIA) conflict with data protection goals?
IT security goals and data protection goals can conflict — for example, replicating personal data to global servers improves availability but may violate data protection requirements around data location and purpose limitation.
Example conflict: Availability vs. Data Protection
| Aspect | IT Security Goal | Data Protection Concern |
|---|---|---|
| Goal | High availability through global replication | Data minimization and storage limitation |
| Action | Replicate personal data to servers worldwide | IP addresses and other data stored in countries with weaker privacy laws |
| Result | System stays available even if one region fails | Privacy is compromised in favor of availability |
Other potential conflicts:
- Integrity through logging vs. data minimization — Comprehensive audit logs improve integrity but collect more personal data than necessary
- Confidentiality through monitoring vs. privacy — Network monitoring detects threats but also surveils user behavior
- Availability through backups vs. right to deletion — Backups preserve data that users may have requested to be deleted
How to resolve these conflicts:
The goal is to find a balance that satisfies both security and privacy requirements. This often involves:
- Privacy-preserving logging (logging events without storing unnecessary personal details)
- Data localization strategies (keeping replicas within privacy-friendly jurisdictions)
- Retention policies that expire backups according to deletion requests
Tip: When designing systems, always evaluate each security measure through both lenses: "Does this make the system more secure?" AND "Does this respect data protection principles?"