close

Data Privacy

Data Privacy vs. Data Security: A Guide

DataGrail, May 10, 2022

When developing your company’s information and data protection policies—whether they’re proactive in support of data minimization or preventative in reducing the risk of a personal data breach—it’s important to understand the roles of data privacy vs. data security. 

Each discipline plays a vital role in ensuring compliance with privacy laws and regulations. Data privacy concerns itself with the extent to which personal data is utilized lawfully, openly and fairly. In turn, data security concerns itself with the security, confidentiality, integrity and availability of that data. Both employ contractual, technical and organizational safeguards to protect data and the people it describes from a range of harms. 

In this article, we’ll go into more detail about each crucial arm of data protection, describe the difference between data privacy and data security, and explore how you can use both disciplines to protect your company’s confidential information. 

What Is Data Privacy?

Before we compare data privacy vs. data security, let’s flesh out each concept. So, what is data privacy?

Data privacy is an umbrella term that describes the principles and strategies for using people’s data responsibly and proportionately to one’s needs. Modern privacy laws share a common set of foundational principles that are the bedrock of any personal data protection program. Privacy teams focus on how and why a business collects, uses and shares personal data through the lens of these principles:  

  • Collection Limitation Principle: Collect only as much as you really need.
  • Data Quality Principle: Inaccurate and irrelevant data benefits no one
  • Purpose Specification Principle: Be informative and timely about your actual data uses
  • Use Limitation Principle: Be fair and proportionate with your data uses.
  • Security Safeguards Principle: Practice good security hygiene every time
  • Openness Principle: Be transparent and clear about your data practices
  • Individual Participation Principle: Honor privacy rights, from requests to complaints.
  • Accountability Principle: Hold yourself and your partners in demonstrable compliance, with applicable rules and policies.

Let’s explore a scenario where you’d consider data privacy during your day-to-day operations:

  • You create an employee engagement survey that you intend for personnel to anonymously submit.
  • To access the survey employees must log into the company’s performance management app.
  • When users log in they name and email address is pre-populated in the survey.
  • You realize that this could allow for each submission to be traced back to the employee, which would break anonymity and undermine the quality of the results.
  • You adjust the survey’s settings so that contact details are dropped from from submissions and results.
  • After testing submissions you add a note to the top of the form that participation will be anonymous.
  • The engagement survey is now accessible to employees and can be completed in confidence.

In this scenario, you act on the major goals of privacy protection: 

  • Identifying what personal data is necessary and when to meet a specific business need.
  • Taking steps to preserve the privacy of the individuals concerned at the right time.
  • Building trust in the business process and its outcomes.

Master the data privacy basics
Read the Privacy Primer

What Is Data Security?

Data (information) security describes the efforts you take to secure your data processing environments — its so-called perimeter and interior. Data security teams focus on the confidentiality, integrity and availability of your information technology infrastructure and systems:

  • Confidentiality: Access to valuable business information which may or may not relate to an identified or identifiable individual. Per the Security Safeguards Principle, confidentiality helps prevent the unauthorized viewing or disclosure of personal data. Worst case scenarios lead to personal data breaches and harms like identity theft.
  • Integrity: Keeping data authentic, accurate, and reliable for its intended uses. Per the Data Quality Principle, integrity is the means by which data can be kept correct and current. Data tampering and corruption can lead to a range of harms if that data is used to make legal, professional, or financial decisions about an individual.
  • Availability: Applies to Security (and IT) ensuring that information systems function properly so that business and personal data could be used by the organization when needed. Taking steps to recover mission-critical data in case of a fire in one of your server rooms is just one example. Per the Accountability Principle, not having availability safeguards in place can in itself be a data protection violation.   

Data security strategies typically include four major tactics:

  1. Implementing software solutions to detect and prevent unauthorized or unwanted access to business data — personal or otherwise.
  2. Architecting IT systems and their configurations to be as secure as possible without sacrificing their utility.
  3. Creating and maintaining policies and standard operating procedures (SOPs) for security operations and incident response.
  4. Training employees and stakeholders on the policies and related best practices to prevent data breaches among other harms.

Let’s explore a scenario where you’d consider data security during your day-to-day operations:

  • You create a spreadsheet containing a list of your top clients with point-of-contact details that you intend only to share with select team members.
  • You password-protect the file and save it in a secure (physical or cloud) location.
  • You share the password with the employees to whom you want to grant access.
  • You request that employees with access don’t share the password with anyone else.

In this scenario, you act on two major security goals:

  • Granting data access (via a password) to appropriate employees.
  • Taking steps to prevent unauthorized access to the data.

Like with data privacy, the overarching goal of security is to ensure data can be utilized in a responsible, accountable way. When security is breached and personal data is exfiltrated or damaged by bad actors, the resulting data loss affects .

How Are Data Privacy and Data Security Different?

Privacy and Security are distinct disciplines and professional practice areas in the same way that neurology and cardiology are distinct medical fields. However, they overlap in a number of important ways to ensure organizations remain diligent and accountable with their data uses.  

Privacy Office:

  • Implements laws and regulations focused on preserving privacy rights and protecting personal data against misuse. 
  • Maintains policies and practices driving open, fair and accountable data practices.
  • Takes special note of sensitive personal data and other specially regulated data.
  • Operationalizes rights & choices of individuals.
  • Champions data minimization and privacy-by-design principles.
  • Works hand-in-hand with Security to secure data by implement Privacy Enhancing Technologies like end-to-end encryption and anonymization.

Security Office:

  • Implements laws and regulations focused on preventing data breaches and protecting information systems from cyber attacks
  • Maintains policies and practices driving safe, resilient and auditable data environments. 
  • Takes special note of highly confidential business information, which includes personal and other specially regulated data.
  • Operationalizes layered defense, hardens infrastructure and hunts threats.
  • Champions security-by-default and need-to-know access to data.
  • Works hand-in-hand with Privacy to identify and secure personal data processing systems.

Despite their disciplinary differences, privacy and security professionals work together towards a common goals — complying with legal requirements while building trust and reducing data privacy issues. 

Why Is It Important to Understand the Difference?

You might already know the difference between data security and data privacy, but why is it important? To create a robust and thorough data protection program, your business should understand and invest in both disciplines. A privacy program cannot be effective if the organization does not have a robust security foundation. In turn, a security program cannot be effective if the subjective requirements concerning personal data are not considered.

For example, sensitive personal data like passport information should absolutely be encrypted in transit and at rest when it is collected. Strong encryption makes it increasingly difficult for hackers to steal the data. But what if your organization has no good reason to collect passport details in the first place? Matching data to data needs and balancing the tradeoffs involved goes beyond data security.

How Do Data Privacy and Data Security Work Together?

Wondering how to improve data privacy? Return to privacy management basics and work cross-functionally whenever possible to: 

  • Identify the systems — internal or external — that process personal data today. Your technology ecosystem may have changed.
  • Determine what kinds of data — standard or sensitive — you handle. Or, your service providers handle on your behalf.
  • Work with business owners to verify how this data is used and why. They may no longer need the data for the reasons it was originally collected.
  • Partner with Security to ensure data that needs to be retained is appropriately secured. Access should be needs-based and least-privilege. 
  • Collaborate with Legal to make any necessary updates to your privacy policies, public statements and contracts. Your privacy promises may be out-of-date.
  • Train new and existing employees on your current privacy and security policies. You can’t have one without the other.

Privacy is a team sport. A company that understands and leverages both disciplines is significantly less likely to experience a personal data breach and substantially more likely to create and maintain trust in their business. 

Foundational Data Privacy With DataGrail

Go Further with Privacy. Do your best business with the integrated data privacy solution that builds trust and eliminates risk.

At the core of any data privacy platform and solution is a data map, because to complete a data subject request you need to know where to look to access your data. DataGrail’s Live Data Map provides a blueprint of where data lives in your organization. And, any changes made to the systems used at your organization are kept up-to-date.

Reduce errors, save time and minimize risk when it comes to data-mapping. Create a blueprint of the business systems and personal data in your organization with DataGrail. Request a demo today. 

Sources: 

IAPP. Privacy and Information Security: The Territorial Challenges. https://iapp.org/news/a/privacy-and-information-security-the-territorial-challenges1/

Journal of Big Data. Big Data Privacy: A Technological Perspective and Review. https://journalofbigdata.springeropen.com/articles/10.1186/s40537-016-0059-y 

SNIA. What Is Data Privacy? https://www.snia.org/education/what-is-data-privacy