When it comes to data privacy vs. data security, we can frequently hear or read those terms being used interchangeably. However, are these indeed synonyms, or do they denote slightly different concepts?
What is Data Privacy
There are various privacy definitions online. Data privacy or Information privacy is concerned with proper handling, processing, storage and usage of personal information. It is all about the rights of individuals with respect to their personal information.
The most common concerns regarding data privacy are:
- managing contracts or policies,
applying governing regulation or law (like General Data Protection Regulation or GDPR),
- third-party management
Privacy, in general, is an individual’s right to freedom from intrusion and prying eyes or the right of the person to be left alone.
It is guaranteed under the constitution in many developed countries, which makes it a fundamental human right and one of the core principles of human dignity, the idea most people will agree about.
Any risk assessment conducted for the purpose of enhancing the privacy of individuals’ personal data is performed from the perspective of protecting the rights and freedoms of those individuals.
What is Data Security
Data security is focused on protecting personal data from any unauthorized third-party access or malicious attacks and exploitation of data. It is set up to protect personal data using different methods and techniques to ensure data privacy.
Data security ensures the integrity of the data, meaning data is accurate, reliable, and available to authorized parties.
Data Security methods practices and processes can include:
- activity monitoring
- network security
- access control
- breach response
- multi-factor authentication
Similarities and differences between Data security and Data privacy
In short, data privacy and data security are, by no means, the same terms. Data privacy is about proper usage, collection, retention, deletion, and storage of data. Data security is policies, methods, and means to secure personal data.
So, if you are using a Google Gmail account, your password would be a method of data security, while the way Google uses your data to administer your account, would be data privacy.
Think for example of a window on a building; without it being in place an intruder can sneak in and violate both the privacy and security of the occupants.
Once the window is mounted it will perform a pretty decent job in keeping unwanted parties from getting into the building. It will, however, not prevent them from peeking in, interfering thus with the occupants’ privacy. At least not without a curtain.
In this (oversimplified) example the window is a security control, while the curtain is privacy control.
The former can exist without the latter, but not vice versa. Data security is a prerequisite for data privacy. And information security is the main prerequisite to data privacy.
When it comes to cybersecurity (i.e. computer, digital), we can agree that it refers to protective measures that we put in place to protect our digital assets from harmful events such as human and technical errors, malicious individuals, and unauthorized users.
However, for the sake of completeness, we have to admit that even in this day and age not all information is digital.
We still deal with numerous paper documents, which in turn hold very valuable information worth protecting.
This is exactly where the term information security comes in handy, denoting the practice of preventing unauthorized access, use, disclosure, modification or destruction of information in whatever form.
The three pillars of information security:
- Confidentiality – prevents sensitive information from reaching wrong people, while making sure that the right people can use it;
- Integrity – maintains the consistency, accuracy, and trustworthiness of information over its lifecycle; and
- Availability – ensures that the information is available when it is needed.
These are very often referred to as the C-I-A triad, and they all have to be addressed in order to achieve a satisfactory level of information security.
Like many things in life where nothing is perfect, the same goes for security; there is no such thing as a 100% secure system. There are only acceptable levels of risk.
This means that in order to secure information an organization must first conduct a formal risk assessment.
The risk assessment will then be cross-referenced with the organization’s risk acceptance criteria (these are developed in line with the organization’s risk appetite, i.e. their willingness to accept a predefined level of risk) and consequently, a risk treatment plan can be developed.
Only then security controls will be chosen with the aim to mitigate specific residual risks. In information security, this is known as a risk-based approach to security.
When you think about it, it makes sense – it would be very difficult to justify spending 100 euros to protect an asset that only costs 10 euros.
What about data protection?
Assuming that we have done a decent job explaining what data security and data privacy are, you might be wondering about the term data protection and how it fits in the whole picture.
Data protection is essentially amalgamated security and privacy.
With each of the two dealing with their own set of challenges, when combined it delivers protected usable data as the result.