In information security everything revolves around the CIA triad: Confidentiality, Integrity and Availability. In the privacy world the GDPR names "integrity and confidentiality" as a principle in Article 5. Two of the three words are identical, and that is exactly where confusion arises. They are not synonyms: they have a different scope and a different purpose. Knowing the distinction lets you explain both security and privacy more precisely.
What is the CIA triad?
The CIA triad is the foundation of information security. It describes the three properties you want to protect for all information and systems, not only for personal data:
- Confidentiality: only authorised people have access. A breach or an over-shared folder harms confidentiality.
- Integrity: the information is correct and complete and is not altered without authorisation. A forged amount or a tampered log harms integrity.
- Availability: information and systems are usable when needed. Ransomware or an outage harms availability.
What does the GDPR say about integrity and confidentiality?
The GDPR sets out six principles for processing personal data in Article 5. The sixth is "integrity and confidentiality": personal data must be protected with appropriate technical and organisational measures against unauthorised processing, loss or damage.
Importantly, this principle is solely about personal data, not all business information. And it sits alongside other GDPR principles, such as purpose limitation, data minimisation and accuracy. That accuracy resembles integrity, but in the GDPR it is a separate principle.
The key differences at a glance
The same words, but mind the scope and the purpose:
- Scope: the CIA triad applies to all information and systems; the GDPR principle only to personal data.
- Purpose: CIA mainly protects the organisation and its continuity; the GDPR mainly protects the rights and freedoms of individuals.
- Availability: it is a full part of the CIA triad, but not a separate GDPR principle. The GDPR touches availability only indirectly, through the requirement of appropriate measures.
- Integrity: in CIA this means correct and unaltered; in the GDPR, 'correct and up to date' falls under the separate principle of accuracy, while 'protected against unauthorised alteration' falls under integrity and confidentiality.
- Confidentiality: here both frameworks overlap most: only authorised people may access the data.
Where it gets confusing in practice
Most confusion arises because personal data is a subset of all information. A customer database falls under both the CIA triad (it is business information) and the GDPR (it is personal data). One leak then harms confidentiality in CIA terms and breaches the GDPR principle at the same time.
It helps to remember: the CIA triad is your broad security lens for everything, and the GDPR adds an extra, stricter layer on top for the specific case of personal data. They do not contradict each other; the GDPR is more specific and adds data subject rights.
How to embed this in your awareness programme
This distinction is ideal to cover early in your programme, because it orders the rest of your security and privacy content. People then better understand why a data breach has two faces: a security incident and a privacy matter.
- First introduce the CIA triad as a common language for the whole company, then position the GDPR as the stricter layer for personal data.
- Use one recognisable example, such as a leaked customer database, and show how it touches both CIA and the GDPR.
- Align with security and compliance so they use the same terms in the same way.
- Want to embed this in a continuous learning path? Explore the privacy courses in our course catalogue.
Related articles
- Data protection and privacy: GDPR essentials for employees
- What is the GDPR? The basics in plain language
FAQ
What does the CIA triad stand for?
CIA stands for Confidentiality, Integrity and Availability, the three core properties information security protects. In Dutch this is known as BIV. It applies to all information and systems, not only to personal data.
Is the GDPR principle the same as the CIA triad?
No. The GDPR names 'integrity and confidentiality' as a principle for personal data in Article 5, but it is narrower than the CIA triad. Availability is not a separate GDPR principle, and the GDPR applies only to personal data, while the CIA triad covers all information.
Is availability part of the GDPR too?
Not as a separate principle. Availability is a full part of the CIA triad, but the GDPR names it only indirectly through the requirement to take appropriate technical and organisational measures. In the CIA lens, availability is therefore more prominent.
Why is integrity confusing in the GDPR?
Because the GDPR distinguishes two things that fall under integrity in CIA: 'correct and up to date' sits under the separate principle of accuracy, while 'protected against unauthorised alteration' falls under integrity and confidentiality. In the CIA triad all of that sits under integrity.
Do the GDPR and the CIA triad contradict each other?
No. They complement each other. The CIA triad is your broad security framework for all information; the GDPR adds a stricter layer on top for personal data, including data subject rights. One good programme can serve both at once.