From controversies like Cambridge Analytica to tussles with Apple over iPhone encryption, to strict privacy laws like the EU’s General Data Protection Regulation (GDPR), and California’s Consumer Privacy Act (CCPA), privacy has shared the spotlight with security over the past decade. What exactly is the distinction between security and privacy? How will this new arm of consumer concern and regulation affect organizations around the world?
This article covers nuances between security and privacy, outlines how they work together, and how to implement both in your organization.
Are Security and Privacy the Same?
Privacy and security are intertwined, but they are not the same. Security involves the systems, assets, information, facilities, and data an organization chooses to protect, and how that organization goes about protecting those assets. Security controls might look at how an organization responds to and patches vulnerabilities in its information systems or establishes a process for authentication into facilities or assets. Security controls might even provide the means for privacy to exist and be maintained.
Privacy, on the other hand, has to do with how an entity discloses, uses, controls, employs, or otherwise shares the sensitive, personal data of users. This is a key distinction: privacy-relevant information usually ties back to a human being. Meanwhile, under security, you might have sensitive data that has to do with a company’s metrics or strategy. While this information is indeed sensitive, it does not have an impact on the privacy of a user, a user’s identity, or their data. Privacy controls might look at the encryption of users’ personal data, like healthcare information, or social security numbers specifically. Privacy also involves the relationship of the organization with end users or individuals whose personal data they have collected and/or used, including requirements for data deletion requests.
Image: Data Security, Data Privacy, and their Intersections
Privacy regulations protect a user from having their information shared with a third party without their consent or knowledge. Security measures protect a user’s data from being hacked or stolen. Cybercrimes like identity theft can take advantage of weaknesses in both security and privacy controls, calling for a strategy to mitigate the risks involved with both. When your data is everywhere, your data is more likely to be exposed in security breaches, cyber-attacks, and information security incidents.
Can You Have Security Without Privacy?
You can have security without privacy, but they work better when applied in tandem. Privacy controls often add another layer of sanitization, protection, or encryption beyond what is strictly required by popular cybersecurity frameworks, which can benefit organizations by adding another boundary between attackers and users’ data. Combined with best practice data security controls, like strong authentication, and logging and monitoring of anomalies, businesses can prevent or correct unauthorized access to private data.
Which Is More Important: Data Security or Privacy?
Most of the time, data security and privacy are equally important; though this is dependent on your compliance requirements. Based on what frameworks, certifications, and compliance initiatives your organization is pursuing, you may be asked to prioritize security practices and policies over privacy practices and policies, or vice versa. For example, if you are adhering to ISO 27001, the International Organization for Standardization’s guidelines for developing information security management systems (ISMS), your concerns will predominantly center around creating secure systems to protect your organization’s assets. One of those assets may be employee data or protected health information (PHI), but privacy isn’t front and center. If you are adhering to HIPAA guidelines as a covered entity, both the Security and Privacy “rules” must be implemented at your organization, and the focus is on safeguarding and controlling access to protected health information (PHI) and electronic protected health information (ePHI). Some attestations may even allow you to bundle Security and Privacy, such as the Trust Services Criteria evaluated as part of Service Organization Controls reporting 2 (SOC 2).
As always, a company should take a risk-based approach to identifying their risks and the controls they need to address those risks. With increased focus on privacy from governments, consumers, and stakeholders, organizations should continue to keep privacy on the radar, and consider implementing privacy controls if they have not already. Like with other types of disclosures and reporting, privacy is quickly becoming legislated, and ignoring these trends can set a company back if they try to play “catch-up.” Ignoring or neglecting privacy regulations, like GDPR and CCPA, is a recipe for fines or penalization. If your organization hasn’t already considered the potential impact of privacy in terms of compliance, reporting, and operations, now is the time to start.
Privacy and Data Security vs. Compliance
Compliance involves meeting the requirements of a standard or law. There are many situations in which a company’s compliance requirements are designed to take into account data security and data privacy. As we’ve touched on before, HIPAA requires both security and privacy-type controls for healthcare organizations. Businesses are increasingly requiring their partners and providers to cover privacy, along with security, in their due diligence and disclosures. Data security, data privacy, and compliance in both arenas can demonstrate an organization’s dedication to data integrity and user privacy, as well as establishing controls that can protect an organization from potential threats, security issues, and cybercrime.
These days, compliance with a standard or regulation generally entails thinking about privacy and security together. Moreover, when you are seeking to achieve compliance with multiple standards, you will likely face significant overlap. The General Data Protection Regulation (GDPR) for example, is predominantly geared towards protecting consumer data, specifically personally identifiable information (PII). If you are ticking off the boxes on your GDPR compliance checklist, you know anyone doing business in or with the European Union must take measures to encrypt or pseudonymize PII. In addition to sharing what data collection is being performed and what the data is intended to be used for, businesses that comply with GDPR must also provide a means for individuals to request their data and request the deletion of their data. Encryption is a security tool that helps to prevent a third party from reading, and thereby potentially exploiting or stealing, a consumer’s PII. Encryption can help to prevent phishing or a cyberattack from being completely successful, but it isn’t sufficient on its own. GDPR doesn’t really spend much time on security measures, though it does stipulate that security measures must match the risks a specific organization faces. It also places hefty fines on organizations that operate in the EU and are noncompliant or do experience a breach. Thus, GDPR treats security primarily as a tool for protecting privacy.
Unfortunately, secure systems are often not enough to prevent a compromise of privacy – even internal sharing of protected health information can become a HIPAA violation, for example. In these cases, internal controls to prevent fraud and access controls within an organization becomes equally important to battening down the hatches against cyber criminals.
Ready to Level Up Your Approach to Privacy and Security?
When you have multiple compliance needs, you may have to take a multi-level approach to protect sensitive information and user data, from financial to health data. Whether you are implementing standards like ISO 27001 to create strong information security management systems or implementing HIPAA guidelines to safeguard protected health information, compliance management software can help you better organize your approach to data privacy and data security concerns. Make sure you don’t miss anything by using a platform that can keep track of all of your compliance needs, including where privacy and security requirements overlap.
Elevate your privacy and security programs with deeper insights into the people, processes, and technologies supporting your controls. Gain visibility into where your protected information lies, and how it’s being protected. The right compliance management software can make your job much simpler and ensure that you are protecting your users’ data and your organization’s internal networks against attack.
Frequently Asked Questions About Privacy vs Data Security
Can you have data security without privacy?
You can have security without privacy, but they work better when applied in tandem. Privacy controls often add another layer of sanitization, protection, or encryption beyond what is strictly required by popular cybersecurity frameworks, which can benefit organizations by adding another boundary between attackers and users’ data. Combined with best practice data security controls, like strong authentication, and logging and monitoring of anomalies, businesses can prevent or correct unauthorized access to private data.
How do data privacy, data security, and compliance compare?
Data security, data privacy, and compliance can demonstrate an organization’s dedication to data integrity and user privacy, as well as establishing controls that can protect an organization from potential threats, security issues, and cybercrime.
Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.
