Exploring the Intersection of Data Privacy and Data Security
In 2006, at the dawn of digital marketing, a British mathematician and marketing expert named Clive Humby tried to explain the importance of consumer data to modern business by saying, “Data is the new oil.”
At a time when marketers were finding endless new ways to collect and manipulate data from consumers, the comparison to oil made sense.
Since the mid-20th century, oil has provided the energy needed to power production, drive transportation and distribution, and supply energy. Like oil, consumer data underpins our modern economy, from technological innovation to product development to advanced marketing.
But unlike oil, data is not a finite natural resource.
Oil’s power comes in part from its scarcity. Governments and industries literally fight to control access to it. And while people fight over data, it’s not because of a limited supply. In fact, data is the ultimate renewable economic driver.
According to the World Economic Forum, by 2025, we will be generating 463 exabytes of data daily. One exabyte is the same as one billion gigabytes. It’s an unimaginable amount of data to process, analyze, and protect.
Here’s the other challenge: the definition of “protecting” data can change depending on who you’re talking to and where they’re operating.
For a chief technology or information security officer, protecting existing data means keeping it safe from unauthorized access and public exposure. For a privacy officer (and most consumers), protecting data means ensuring consumers’ sensitive personal information is used appropriately and ethically.
Historically data security and data privacy have been siloed from each other, but as consumer data is increasingly integrated into every operational function, companies are finding the old ways of doing things inefficient and ineffective. Business leaders should instead utilize an intersectional approach that capitalizes on the strengths of both disciplines.
So what does that look like?
What is data security?
When we talk about data security, we’re talking about the tools and procedures used to protect data from unauthorized access. It encompasses things like:
- Firewalls that prevent a data breach
- The CISA Known Exploited Vulnerabilities (KEV) Catalog
- Multi-factor authentication and password requirements that limit data access
- Malware detection tools that scan for viruses, ransomware, etc.
The strength of data security lies in understanding how data is collected, stored, and protected. Its weakness is knowing what data is being collected, why it’s being collected, and how it’s being used.
Data security is crucial to data privacy, but it’s possible to have a good data security program that fails to meet data privacy best practices.
What is data privacy?
Data privacy refers to the processes used to govern data collection, processing, sharing, storage, and management to ensure information is only used in ways a consumer (known as a data subject in the privacy world) has agreed to.
Data privacy strengths include understanding what type of data is collected, how it’s used, who has access to it, and how businesses explain all of that to their customers.
It’s not possible to have a data privacy program without data security, but there is more government oversight of data privacy.
There are multiple laws currently governing data privacy, including the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA). In the US, which has so far left data privacy legislation up to individual states, four states besides California have laws that come into effect in 2023 (Virginia, Colorado, Utah, and Connecticut).
Data privacy vs. data security: your crib notes
Data privacy and data security are complex, but if you want a quick TL;DR takeaway as to the main differences between the two fields, we’ve got you covered below.
Data privacy focuses on:
- Focused on what data is collected, how it’s used and to whom it’s shared
- Ensuring proper disclosures of data practices to customers and employees
- Creating policies and best practices for how data is used and shared
- Managing individual rights on data processed
- Maintaining compliance with various privacy laws and regulations
Data security focuses on:
- Policies and procedures for ensuring data is not accessed by unauthorized users
- Controls and methods of securing collected/used/shared data
- Determines how data is protected against cyberattacks
Why you need to balance data privacy with data security
Data privacy and data security use different but related methodologies to manage data risk. With hackers getting more sophisticated and data privacy regulations becoming more aggressive, striking the right balance between security and privacy requires a cross-functional, consumer-first approach.
Here’s a real-world example.
Say your consumer packaged goods company has customers in the EU and CA, which means you have GDPR and CCPA/CPRA compliance obligations.
On the data privacy side, you need to:
- Publish a transparent privacy notice that is easy to find on your website and:
- Details legitimate purposes for collecting and processing personal data
- Explains how your customers can submit a data subject access request (DSAR) or individual rights request to exercise their rights to access, data portability, correction, deletion, and restrict processing
- Minimize the amount of data collected and understand the data flow (how data is collected, processed, and used) by completing a data inventory
- Update cookie consent banners
- Vet vendors’ security practices to ensure they meet the same standards
These privacy laws also mandate that your company provide “reasonable security measures” to protect your customers’ sensitive personal information.
While specific parameters for “reasonable security measures” aren’t outlined, they might include:
- Restricting access to the minimal amount of data needed to complete a task
- Strict password requirements
- Encryption protocols
- Automated and redundant processes for installing software updates and patches
But even if you implement all the data privacy and data security solutions listed above, it’s still possible for your data to be at risk and for you to be out of compliance with existing privacy laws. You still have to:
- Provide regular and engaging training to your employees to make sure they understand both the technology and processes you’ve put in place to protect your customers
- Develop and practice an incident response plan so a breach can quickly be detected and contained and affected individuals can be notified
- Conduct annual reviews of privacy notices and internal policies to make sure they are still in line with compliance requirements and privacy best practices
If all these tasks seem overwhelming, don’t panic. Every major responsibility can appear mountainous at the beginning. The good news is that you don’t have to do everything all at once. Many of these tasks naturally lead to the next step in your privacy and security journey.
What’s more, these programs are more effective when run by a cross-functional team, with each member bringing their own expertise and perspective to the process.
Risks of not getting the balance right
It might seem like the risks of failing at either data privacy or data security are obvious, but the ramifications can be even more intense and last longer than most people realize.
For starters, the cost of a data breach is higher than it has ever been. In 2021, the average total cost of a breach reached a record-breaking $4.24M. That cost went up if remote work or compromised credentials played a role in the breach.
In addition to these hard costs, companies that run afoul of statutory requirements risk injunctive action that can disrupt operations, damage reputations, and negatively impact revenue.
But perhaps the most significant risk associated with poor data security and data privacy management is the loss of consumer trust. As third-party cookies are phased out, first-party data (data users give to you directly) is going to be the new gold standard.
And you can’t get first-party data from people who don’t trust you.
Consider the following statistics:
- 88% of customers won’t use services or purchase products from an organization they don’t trust
- 39% of consumers have already lost trust in a company due to a breach or data misuse
- 84% of people want more control over how their data is used
- 92% of customers believe a proactive approach can prevent a breach, which is why 60% of US residents blame the company more than hackers in the event of a breach
If you don’t take your customers’ privacy (and their desire for it) seriously, you’re going to lose them to a competitor who does.
What you stand to gain
Done correctly, a data management program that thoroughly integrates data privacy and data security will deliver an investment return that far exceeds the initial cost.
For example, a 2019 Cisco study found that GDPR compliant organizations had an average of 133,000 fewer records compromised than non-compliant companies. They also had three fewer hours of system downtime related to cyberattacks, and only 37% of GDPR-ready companies who were breached had a loss of over $500K.
The same study found that 97% of companies had gained a competitive advantage or investor appeal after investing in privacy. Even better? More than 40% of organizations saw a benefit at least twice that of their privacy spend. And 42% of companies said focusing on privacy increased their ability to stay agile and continue innovating.
This data demonstrates that focusing on data security and data privacy does more than help you avoid negative consequences. Building a robust data management program, which is something you should be doing anyway, has the potential to increase efficiency and improve your operations in a collaborative way.
Get the help you need from an expert you can trust
If you are confused about balancing your company’s data security and privacy needs, the experts at Red Clover Advisors are here to help.
With backgrounds in marketing, business, and privacy management, we understand the complex ways privacy and security impact your operations. We also know that starting the process of building a data management program can feel like a daunting task for someone who isn’t an expert across all these disciplines.
Our years of experience helping clients build practical, pragmatic solutions that are functional and compliant. Whether you need help finding your vulnerabilities, improving your processes, training your team, or vetting your vendors, we excel at helping you get the results you need to meet your customers’ expectations and your compliance obligations.
Contact us today to get started.