researchHQ’s Key Takeaways:
- While data privacy and security are two sides of the same coin, organisations require distinct strategies to manage each.
- Data privacy policies should define what personal data an organisation is collecting, why it’s collecting it and how it plans to use it.
- Data security concerns how the data collected is protected from unauthorised access and damage.
- Sophisticated identity and access management (IAM) solutions help organisations control user access rights within their system, ensuring the privacy and security of data.
Disclaimer: This article is for general information purposes only and not a substitute for legal advice. Please consult with your legal counsel to obtain specific advice for any legal manner.
Any pre-teen with a journal understands the difference between data privacy and data security. If you secretly read your friend’s journal to find out their secrets, you’ve violated the principles of data privacy. But if your friend tells you their secrets, and you write it in your own journal, and then leave that journal out where anyone can read it, you’ve violated good data security.
As a pre-teen, a failure on either front can cost you your friendship. In today’s business world — in which cybersecurity threats are rampant, and data privacy laws like the EU’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are cropping up around the world — failure can be even more costly. Knowing the difference between data privacy and data security, and the tools you must employ to protect both can help prevent breaches and achieve legal compliance. Unfortunately, too many executives think that their data security policy covers data privacy, and vice versa.
In this climate, it’s crucial for executives to understand how these concepts differ, how they overlap, and how to incorporate both into a sound data governance strategy.
What’s the Difference Between Data Privacy and Data Security?
You can imagine data privacy and data security as a Venn diagram with significant points of overlap, but businesses should have a distinct set of strategies for managing each.
That doesn’t mean you can have one without the other, necessarily — you can hardly protect privacy without security. But it does mean that sometimes it’s important to look at each concept separately to make sure both sides of the security/privacy coin are being properly addressed.
Data privacy is about defining what personal information you should and shouldn’t ask for (or gather) from your users.
It concerns how and why an entity collects, stores, shares, and controls access to sensitive data. Data privacy is about the kind of information you ask from your users (or collect via cookies or from third parties), why you ask for that information in the first place, and how you plan to use the information you’ve gathered.
Data privacy applies to the personal information of an individual. GDPR and CCPA have broadly similar definitions of personal data. An individual’s full name and mailing address will typically be considered as personal data, while in some cases, browsing history could also be seen as personal data. GDPR goes further in defining special categories of data, such as health information, political affiliation, biometric data, and sexual orientation, which are all subject to stricter requirements for processing. The personal data of minors is also subject to stricter regulation under many international laws.
Data privacy laws address both the “how” and the “why” of data collection. These laws require companies to transparently communicate their policies with users and give users greater control over how their data is used, which may require providing users with the ability to opt in or out — that’s the “how.” But they also require companies to disclose what purpose they’re collecting data for — that’s the “why.” In other words, what is the reason for the intrusion.
For instance, prior to GDPR’s passage, the UK fined Facebook for giving Cambridge Analytica access to user data without user consent, violating their privacy. There wasn’t a data breach or a malicious hacker involved — the company just wasn’t respecting user privacy, and that data was then used to manipulate elections potentially.
There are, of course, totally legitimate ways for a company to collect personal information without prior consent that doesn’t inherently violate the principles of data privacy. Most companies who do business online collect things like usernames, password hashes, bank or credit card information, and other data directly related to business operations.
If you’re a home insurance company, you may need the address of the customer’s home, the size of the home, the year it was built, etc. It may be perfectly fine to have that information, but if your insurance company shares this data with an unauthorized third party without your customers’ knowledge or consent, you may be trodding into non-compliance territory.
Personal information as defined by the laws is a bit of an ever-changing and refining property, but there are methods for keeping up with the changes.
Some data privacy laws, including GDPR, specifically enshrine the “purpose limitation principle,” mandating that personal data can’t be used for a new purpose without specific permission. GDPR also requires “data minimization:” that entities don’t collect more data than is needed for a particular purpose for a specific purpose.
If data privacy concerns the personal data of individuals, data security concerns how a company protects that data from unauthorized access or corruption. Data security is what you do with the data you’ve gathered from your users — where you store the data, whether or not you encrypt it, who has access to it, and how you determine who is an authorized user.
It’s possible to have good data privacy standards while still failing on data security. Even if your data collection policies are strictly in accordance with the law, if you’re not protecting that data with adequate security measures such as authentication and access management, you still may not be in legal compliance.
How the Law Regulates Data Privacy and Data Security
The GDPR and the CCPA came into being largely in response to unscrupulous data collection policies that failed to respect users’ privacy. Data privacy laws may require companies who deal in personal data to have well-maintained records of how user data was acquired, why, who had access to it, and where it was sold or shared and with whom. You may need to have all that information ready at all times, and be able to share it with users and regulators upon request.
The current crop of data privacy laws also specify, to varying degrees, the security measures that companies are obligated to adopt to protect data.
Protecting Access and Anonymity
There are tools to help you build a stronger data privacy and security program.
Access management is all about ensuring the user is who they say they are, that you have access to what you should have access to, and having a way to manage that access. Implementing multi-factor authentication (MFA) is a major element to data security; otherwise, it would be easy for intruders to impersonate users and expose records through credential stuffing. MFA identifies users by checking who they are (a username), that they know something the user ought to know (a password), and that they have something only the user would have (a USB key, a mobile phone, etc).
Depending on which law you’re trying to comply with, anonymization and de-identification are all about scrambling user data so it is no longer identified or identifiable. There are varying legal and technical standards for what constitutes de-identification and anonymization, but as more laws develop, and the ones on the books have time to mature, we can expect some clarity and convergence on this front. IAM’s management can aid compliance even with ever-changing legal definitions.
Creating a Data Privacy Plan
A strong data privacy plan is all about knowing what data you have on the customer/client/user and why you have it.
Hash Out the Internal Policy
Sit down with your development team and hash out the bare minimum data you need to ask for.
A mapping app needs GPS locations, an online order needs an address, etc. Do not ask your customers (and do not collect from your customers) any non-essential data. Even if it might “come in handy” due to future planned features of your business, GDPR and other laws stipulate that you cannot use data for anything beyond what it was originally gathered for. There’s no saving it “for later.”
The next step is to create a comprehensive policy for everyone that outlines what kind of data you’re collecting for your business, the related bits of the actual regulation text to keep everyone on the same page, and detail who’s responsible for executing each leg of the policy.
Next, take stock of all the data you have and create a comprehensive inventory.
An identity and access management (IAM) system can help you find and manage this kind of data. Take inventory of where the data has gone – to other businesses or people – and track how it got there and for what purpose.