Happy Data Privacy Day (and week)! A cherished holiday for our team at DataGrail and many around the U.S. (and world). We are proud to be recognized as a Data Privacy Champion by the Cyber Security Alliance. Because we think one of the best ways to celebrate is by spreading awareness and sharing helpful information, in celebration, a few of our resident Data Privacy, Security, and Protection experts held a recorded Question and Answer session.
We sat down with Alex Krylov (Sr. Privacy Advocate) and Joe Parker (IT and Security Manager) to demystify a few common privacy vs security watercooler questions, how they both fit into “data protection”, and where to get started to put these words into practice. We cover it all.
What we learned:
- What Data Privacy, Security, and Protection are not
- Why you can’t have privacy without some level of security
- Their top suggestions for managing security and privacy
Without further ado, here it is!
We hear a lot of terms floating around—data privacy, data protection, information security—to name a few. What do these terms mean to each of you?
To me, security and privacy are two sides of the same data protection coin (which is why EU ‘data protection’ law talks about generally needing both… and more… to protect the people behind the data.) Our friends in the information governance space will say the coin is actually in their pocket, but that’s another topic.
It’s the old adage of you can have security without privacy, but not privacy without security! Security is about safeguarding the environment in which the data exists, and ensuring that the data is usable to those who are entitled to it. So to me, security is about building trust in the data environment. And privacy is about building trust with whoever controls that environment.
Data Privacy can touch on many areas, but perhaps the best initial frame is to discuss what privacy is not. So what is privacy not?
“It’s not data security. Privacy depends on trust in the security of a system but is independent of it.
It’s not ‘anonymity’. Is ‘anonymity’ even possible in the age of context? Well, yes, but not without technical and personal effort.
It’s not just a set of controls. Transparency, access, choice, etc. are a part of the equation but are not the full picture. You can’t meaningfully control an environment you can’t understand no matter how many levers and toggles you have in front of you.”
To borrow from Danah Boyd, a senior researcher at Microsoft Research, privacy is a “Combination of people having a certain amount of power and agency within [a data] environment, and the ability to understand the environment in a meaningful way.”
Let’s explore the concept of how data privacy and security intersect a little more closely. What’s your take on it?
“We can’t achieve privacy without some level of security. The reason for that is we can’t actually keep things confidential if anyone can get access to them. We can’t actually have a privleged conversation if any can potentially see it. Or, all they have to do is guess my horrible passwords. So at the end of the day, we are our ability to achieve privacy is truly dependent on our ability to secure things well.”
Diving deeper into security, Joe, in your role as Manager for IT & Security, can you tell us a bit about two commonly used security terms: “surface area” and “zero trust”?
“[As a security leader] surface area is all the things that I have to defend against, it’s all the places where I hold information, all the places where an attacker or somebody who wants that information might be going to look for it
“The concept of zero trust, it’s relatively new. It’s something that I think we’re all familiar with. But its application has shown up in computer technology relatively recently. And it’s this idea where we don’t trust anything without some verification.”
Where would you suggest someone start when they begin managing privacy?
I think it’s important to get a sense of your technology footprint… it’s all about fair, appropriate and proportionate use.
Where would you suggest someone start to ensure they are securing their devices?
The one thing that we can all do is keep our software up to date, it might seem boring or uninteresting. But legitimately it is the number one thing that each one of us can do to prevent people from being able to attack us or abuse our privacy.
Putting it together to #RespectPrivacy: As new technologies and new ways of doing business online increase the complexity and variety of data that can be ‘personal’, it is helpful to think of ‘data privacy’ as a negotiation between data-generating individuals and data-driven organizations. So if information security is the foundation of trust in a data environment, then data privacy is the meaningful expression of that trust. As we at DataGrail celebrate Data Privacy Day, we reflect on and appreciate the necessary partnership between Security and Privacy to ensure the protection of data and the people behind the data.
Special thanks to Alex & Joe for your contributions to this post!