I have had the honor of working across various sectors throughout my career, including government, consulting, retail, technology, health care, and sales. Through all of these vastly different industries, a very familiar topic continues to come up: “What makes data security different from data privacy?” In order to understand these distinctions, let’s break down each one, beginning with regulation and industry standards.
Compliance Mandates Stress Protection
If we look back at even just recent history of industry regulation, you will start to see a pattern.
- HIPAA began in 1996, and focused on the healthcare industry with an emphasis on protecting patient data.
- GLBA started in 1999, requiring financial institutions to protect and restrict access to customer financial information.
- PCI DSS began in 2004, with emphasis on protecting credit cards.
These are just a few examples, but you already see a pattern: It’s all about “protecting,” which directly ties requirements to the CISO, CIO, and other technical leadership.
It wasn’t until the announcement of GDPR in 2016 and the enactment of it in 2018 when the definition of “personal information” expanded to include “any information relating to an identified or identifiable natural person.” GDPR would also be the first time an individual would have the right to know and tell companies what they want done with their data.
Data vs. The Individual
When we look at data security, we find the very key fundamentals are security, technical, and administrative controls. Most of the regulations listed above focus heavily on certain sets of data, but not on the individual. This is what leads companies down the path of ensuring things such as technology control, risk management, change control, and other security procedures are in place, monitored, audited, and enhanced as technology evolves.
With the recent introduction of laws such as GDPR and the like, there has been a shift in what data is “sensitive” or “important” to a company. Privacy puts heavy emphasis on the individual and draws attention that something as simple as a birth date, address, eating habits, eye color, and even internet browsing history can be highly identifiable given just a little extra context. Going forward, as laws become more and more complex and all encompassing, companies must stop focusing only on key data sets to protect and take a broader look at their overall data ecosystem with an emphasis at the identity level.
The Need for Appropriate Safeguards
Although the standard security controls are great at ensuring data stays secure and is only accessed by those who have permission, it is not great at knowing things that privacy requires, such as:
- Where the data came from
- Why you have the data
- Whose data is it
- Is the data shared with third parties
- How long will you keep the data
How you answer these questions for each and every system or data element will greatly impact which security controls you may want to have in place for several reasons.
This is why oftentimes in privacy law the term “appropriate” or “adequate” safeguards is used. This doesn’t mean that the regulators expect companies to go spend millions of dollars on new cutting-edge software. The intention of these terms is to ensure companies take a risk-based approach, taking everything into consideration—such as business use cases, data elements, and data subjects—before deciding which parts of their security stack will best protect, enable, and ensure proper transparency for individuals’ data.
Private, Secure, or Both?
As privacy laws like GDPR, CPRA, LGPD, and others continue to expand and new laws are announced, they will have particular differences, but they will ultimately have one thing in common: the requirement of knowing where all of the personal information exists across your ecosystem and why you have the data in the first place.
So now when I’m asked “What is the key difference between security and privacy,” I tell people that security is about locking data away and keeping it safe from outside and inside threats. Privacy is about transparency, and enabling your user base to understand what data you have, why you have it, and who you share it with.
You can absolutely have security without privacy. But you cannot have privacy without security.
Keep your data both secure and private with help from the PK Protect suite. See it in action by requesting your free demo now.