What is the difference between privacy and security?
Good question! If you’re not sure, you’re not alone. These two issues are related—but they’re not exactly the same. Curiosity piqued? Allow us to explain.
Two sides of the same data governance coin
Most people use privacy and security interchangeably when they talk about data. Because they are so closely related to and dependent on each other, it’s understandable.
But it’s not accurate.
What is data privacy?
In the professional privacy world, we define data privacy as anything related to the way organizations collect, handle, process, use, and store the personal information of individuals who could be consumers, users, clients, patients, employees, or citizens. Part of data privacy is maintaining compliance with local and federal laws.
What is data security?
Data security, on the other hand, is defined as the practice of protecting digital information from malicious threats, corruption, or theft. Touching every operational application of information security, data security encompasses the tools, technology, and security controls used to deter and/or prevent bad actors from gaining unauthorized access to sensitive information.
They go together like PB&J
Taken together, data privacy and security are the perfect example of cybersecurity symbiosis. In fact, the title of this article is misleading—it’s not privacy versus security. They aren’t fighting each other for dominance, they are working together to lift each other up.
But like most symbiotic relationships, it’s a complicated, delicate balance. Think about it like this: your house needs windows to protect your privacy and your security. If your house has no windows, anyone can climb in and go through your fridge or your files and walk out with your family heirlooms.
If you install windows, your security is dramatically increased because your would-be thief can’t get in your house without significant effort. You also have more privacy, since no one can see the secret guilty stash of spray cheese you have in your fridge for bad days. (Also, you know, they can’t go through your cabinets and find your social security card or other private data).
But your privacy isn’t totally protected. Someone could still look through your windows and watch you eat your spray cheese after your boss chews you out on Zoom, or worse. Even with the windows, you need to put up blinds to safeguard your privacy.
We can keep this metaphor going. Adding alarms to your windows? That’s another security control. Hanging drapes over your blinds? Ta-da! You’ve got extra privacy control in your arsenal. Good data protection programs have interrelated safety measures layered on top of each other in a cozy cybersecurity cocoon.
So which comes first, the peanut butter or the jelly?
Most clients come to us asking which program they should build first, their data security or data privacy program.
The answer?
Because they are so intertwined, you need to do it simultaneously. And with more and more jurisdictions starting to pass legislation similar to the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), you need to start soon.
So let’s talk best practices, the kind that can help confused, overwhelmed, and/or resource-strapped teams make meaningful changes.
Data security best practices
Even the most un-techy business owners know they need secure systems to protect the private data they collect from their users. Data breaches and the resulting identity theft that often follows have real financial and reputational costs.
A strong data security system is built on the three pillars of information security—confidentiality, integrity, and availability.
- Confidentiality means data is only accessible to individuals with the appropriate permissions.
- Integrity means data is not tampered with, modified, or degraded at any point in the data lifecycle.
- Availability means data is protected against things like power surges, hardware failures, and cyber threats while still being accessible to authorized users on demand.
No system is 100% secure, but here are a few examples of ways you can lower your rirsk.
- Data mapping: Following a data record through its full lifecycle will expose where data is vulnerable in your system.
- Access controls: The principle of least privilege, only granting access to the minimal amount of data needed to complete a task, can dramatically reduce the risk of exposure through low-level accounts or devices.
- Strict password requirements: Encourage your teams to change their passwords regularly and to make sure their passwords are different from passwords they use for personal accounts.
- Multi-factor authentication: Using a combination of passwords, pins, verifications, physical objects (like a key fob), and biometric scans provide additional security in verifying data access.
- Device guidelines: If you don’t have company policies prohibiting employees from using work devices for personal reasons (or vice versa), you need them. The same thing goes for employees using public Wi-Fi channels.
- Encryption: De-identifying and anonymizing your data removes personally identifiable information, so even if you’re hacked, it’s much harder for the bad guys to use your data.
I have to give you one warning: you can have the absolute best security practices in the world and not meet regulatory and best practice standards for privacy.
That’s why it’s so important to build your security processes alongside your privacy program. You don’t want to have to redo all the hard work you put into your information security program because your privacy practices aren’t up to snuff.
Data privacy best practices
With consumers developing a growing awareness of the privacy landscape and demanding more control over how their sensitive information is collected and used, even companies that aren’t subject to privacy laws like the GDPR or the CCPA should be actively invested in building privacy into their workplace culture.
Strong privacy programs are built on the following principles:
- Choice means your users get to decide what data they want you to collect, how they want you to use it, and how you share or sell it.
- Transparency means your users/consumers can easily find clear descriptions of your privacy policies, including what data you are collecting and how you are using it.
- Data minimization means you collect the minimal amount of data needed to make your business function and store it for the minimum time necessary.
- Confidentiality means you protect the data you collect with the most stringent security controls possible.
These principles are important, but the most important, most foundational principle for privacy programs is choice.
Choice gives your customers a voice in their relationship with you, no small thing in a world where personal data is part of almost every transaction. And on a non-philosophical-but-still-important level, giving your customers choice makes your life easier. By utilizing a preference center, you give your customers the chance to correct their personal data if the information you’ve collected is inaccurate, and control how and how often you contact them. This benefits your own data sets and marketing campaigns!
Here are some specific steps you can take to strengthen your privacy practices:
- Data mapping: Yep. This process is critical to both data security and data privacy. If you don’t know what you’re collecting, what you’re doing with it, or where you’re storing it, how can you possibly protect it?
- Privacy policy updates: Is your privacy notice outdated and hard to understand? Take this opportunity to update your privacy notices and make them user-friendly.
- Cookie/vendor audits: Privacy laws hold companies accountable for how their vendors use the data they share, so you need to make sure your third-party vendors and the cookies they provide have the same strict standards for privacy management.
- Training: Your employees can make or break your security and privacy programs. They are simultaneously your biggest risk and your greatest asset. It’s up to you to actualize their potential by training them well enough that they clearly understand their role in your privacy program.
- Build a preference center: A preference center, a centralized location where your users can interact with all aspects of your privacy program (request access to data, opt-in or opt-out of data collection/sale, change communication preferences, read privacy policies, etc.) streamlines privacy management processes for you and them. Win-win!
It’s sandwich-making time
As evidenced by the battles overusing social media and facial recognition programs as part of law enforcement and intelligence gathering investigations, the balance between privacy and security will continue to evolve. As technology and consumer expectations change, you can expect best practices and regulatory requirements to follow.
While it may seem like a lot of work now, the best way to prepare yourself for these changes is to build an agile, responsive process now. Then, as changes come, you can build on your progress instead of having to start from scratch.
Red Clover Advisors is here to help you. We are experts in creating the perfect balance of peanut butter and jelly, er, privacy and security, in your data governance program. Contact us today to learn more.