Data Privacy vs Data Security: Drawing A Line Between The Two

In the modern digital world, where data is the most valuable asset, organizations face a multitude of challenges related to the privacy and security of employee, consumer, and client data.

The sheer volumes of data that enterprises handle and store is growing and alongside comes the rampant growth of cyber security threats, where any small failure can incur huge costs which drive our attention to the greater need for data protection practices.

Unfortunately, many organizations believe that their data security policy covers data privacy and vice versa. This confusion blooms out of our limited understanding of the concepts that often lead to the usage of data security and data privacy interchangeably.

So, we will attempt to touch upon the distinct differences between data security and data privacy, so that you as an organization owner can get a clear picture of how they work, what they mean to your business and in turn incorporate both into a sound data governance strategy.

What is Data privacy?

Data privacy, also called information privacy, is concerned with the procedures and policies that govern the collection, storage, sharing, and usage of Personally Identifiable Information (PII). It reinforces an individual’s rights to their personal information and considers their preference concerning control and information sharing with third parties.

It has two aspects — first is access control, which works on who should have authorized access to the data and who shouldn’t. The second aspect of data privacy involves putting mechanisms into place that will prevent unauthorized access to the data.

The common concerns that arise regarding data privacy are:

• Management of contracts or policies,
• Applying governing regulation or law (like GDPR, CCPA, and HIPAA that impose a broader set of privacy standards and compliance requirements on companies that store or process the PII.),
• Third-party involvement

What is Data Security?

Data security?is primarily focused on preventing unauthorized access to data, via breaches or leaks, regardless of who the unauthorized party is. Although data security primarily focuses specifically on keeping data secure, it also incorporates infrastructure security. Additionally, it is a step towards maintaining the integrity of the data which ideally means to ensure data is accurate, reliable, and only available to authorized parties.

An effective data security plan includes resilient data storage technologies, encryption solutions, data erasure, data masking, physical and logical access controls, breach response, and multi-factor authentication using tools and technologies such as firewalls, network limitations that deter access. Recently, security technologies such as tokenization and encryption have been put into use to further protect data by rendering it unreadable if a cybercriminal has access to massive volumes of sensitive data that are at risk of exposure.

In short, data security is architected by a technologically sophisticated, holistic approach that secures every network, application, device, and data repository in an enterprise IT infrastructure.

What is the core difference between Data Privacy and Data Security?

Data security and data privacy are strongly interconnected but not the same. The difference between privacy and security is measured through the parameters concerning which data is being protected, how it’s being protected, from whom it’s being protected, and last but not least of who is responsible for that protection. Data Privacy is related to the use and governance by implementing policies and procedures to ensure that personal information is being collected and used in an appropriate manner. Data Security is centered around protecting data from malicious threats and exploitation of stolen data. Data security is necessary to protect the data but not sufficient to ensure data privacy.

To make it even more clear for you, I suggest y’all take a look into any organization’s operations. The mechanisms administered in an organization may promote effective and robust data security, yet the procedures relating to initial data collection and handling might be faulty — such as proper consent not taken from the individual then it can lead to an instance of privacy policy violation even though data security remains unbreached.

Therefore, organizations must understand that data security can be achieved without data privacy. However, data privacy cannot be achieved without data security. So, it is safe and approved to say that data security is a prerequisite to data privacy.

Although we just studied the difference between the two concepts, when represented in a Venn diagram they have significant points of overlap which need to be taken into consideration while developing a distinct set of business strategies to properly address both.

Understanding the related standards: ISO27701 vs ISO27001

In brief, the ISO 27000 series of standards are a set of international standards all concerning information security. The main difference between the two above-mentioned standards is that the ISO 27001 standard has an organizational focus and details requirements providing an adequate level of resource into the establishment, implementation, maintenance, and continual improvement of the information security management system. On the other hand, ISO27701 which was recently published in August 2019, mainly focuses on the privacy of information, by creating a framework for the ‘controllers’ of personally identifiable information.

Essentially, ISO 27701 standard is an extension to ISO 27001, hence the organizations can implement both the standards together and be certified to both standards in a single audit to keep up with the ever-increasing data handling formalities and the inevitable need to address emerging data privacy laws like the CCPA.

This brings us to data protection an amalgamation of the concepts of data security and data privacy — their requirements, challenges taken together which should be translated into a sound data governance strategy that is crucial for organizations to prevent unforeseen business interruptions.

Article References:

• https://www.gartner.com/en/documents/3989495/the-state-of-privacy-and-personal-data-protection-2020-2
• https://www.gartner.com/en/newsroom/press-releases/2020-09-14-gartner-says-by-2023--65--of-the-world-s-population-w
• https://www.zdnet.com/article/data-privacy-and-data-security-are-not-the-same/
• https://www.inc.com/thomas-koulopoulos/the-biggest-risk-to-your-business-cant-be-eliminated-heres-how-you-can-survive-i.html

Disclaimer: The views, thoughts, and opinions expressed in the text above belong solely to the author, and don’t reflect views of the author’s employer, organization, committee, or other group or individual.