The term data protection is often used interchangeably with the term information security. This article argues that while there is a substantial overlap between information security and data protection, these two concepts are not analogous. Furthermore, the article argues that data protection goes beyond the boundaries of information security to include not only the protection of information resources, but also includes other aspects such as the security of information processing. In information security, the aim is to protect an organisation's resources, such as information, computer hardware and software. In data protection, in addition to maintaining information security, organisations have to follow strict rules called "data protection principles". This additional dimension has implications for the organisation. For example, it requires that proper use is made of information about people. In this paper an effort will be made to include data protection attributes in the CIA approach.