Is your data protected? Both data privacy and data security are critical to mitigate financial, reputational, and compliance risks for enterprises.
These terms are often used interchangeably, and to much confusion. Understanding the similarities and differences between data security and data privacy is key to establishing a more robust compliance program.
So how are data privacy and security distinct? At the highest level, data privacy focuses on governing internal data access and ensuring the people represented by the data have control over their information. Data security, on the other hand, focuses on unauthorized access to data.
In this blog, we’ll compare and contrast data privacy and security, and make the case that both are essential and complementary for an effective data governance program.
What Is Data Privacy?
Data privacy ensures data is used responsibly, and that personal information is used in a way that is authorized, fair and legitimate.
Privacy laws, policies, and procedures protect data during collection, storage, and processing activities. These policies may be internal to an organization or driven by regulating agencies. Data privacy is most notable in its protection of personally identifiable information (PII), which includes:
- Individual Name
- Individual Address
- Email address
- Social security number
- Credit card or bank account information
- IP address
Personal information is defined in a data framework within the asset-protected privacy rules, processes, and technologies. Such rules are useful because they define what makes certain information personal or identifying (and clarify which data need to be removed or personalized for it to be anonymized).
Recent rules around PII are mostly driven by consumers who value information privacy. They want to exercise their right to control their private data: Who uses it, when, and how. In response, local and federal regulatory bodies have established data protection and privacy laws that require organizations to protect and properly manage PII. Some of the most notable regulations are:
- The European Union General Data Protection Regulation (GDPR)
- California Privacy Rights Act (CPRA), expanding the California Consumer Privacy Act (CCPA)
- Gramm–Leach–Bliley Act (GLBA)
In general, these regulations require organizations to have policies explaining why they collect PII and how they plan to use it. If a business sells PII, data leaders need to make sure that consumers have the ability to opt out. Most of these regulations also cover the third-party management and processing of data. As part of managing contracts, data leaders are responsible for monitoring how those outside parties protect PII – and will often go so far as to include clauses about this in contracts.
Privacy in Practice
Although PII privacy is driven by consumers and enforced by regulatory bodies, organizations shouldn’t approach privacy with reluctance or treat it as just an add-on. In Privacy by Design — The 7 Foundational Principles, Ann Cavoukian, the former information and privacy commissioner of Ontario, Canada, recommends having privacy “embedded into every standard, protocol, and process that touches our lives” with a universal framework embodying the following principles:
- Proactive not Reactive — Anticipate and prevent privacy-invasive events before they happen.
- Privacy as the Default Setting — Ensure personal data is automatically protected — by default.
- Privacy Embedded into Design — Make privacy an essential component of the system’s core functionality.
- Full Functionality — Use an approach where both privacy and security are achieved, rather than having them at odds.
- End-to-End Security — Maintain secure information management throughout the entire lifecycle.
- Visibility and Transparency — Establish accountability and trust, as well as openness and compliance.
- Respect for User Privacy — Empower data subjects to actively manage their own data.
This data privacy framework will enable the authorized, FAIR (i.e, following fair information practice principles), and legitimate processing of personal information.
What Is Data Security?
Data security is a broad function that at its core is chartered to protect data. The role of data security has changed over time; it was originally focused on the physical security of hardware and electronic access to it; today the focus has shifted to the need to secure data with a deeper understanding of the data itself.
Data security consists of the policies and processes for preventing unauthorized access to systems, networks, and applications that maintain data. More broadly, you must have controls in place to protect sensitive data from malicious attacks and data exploitation. It is critical that firms view data security as part of governance, risk management, and compliance (GRC).
In Data Protection, Governance, Risk Management, and Compliance, author David Hill argues that data security must evolve, and discusses the need to expand data security from an infrastructure specific capability to more of an information-centric capability that is “good to the last bit.”
As part of a robust data security program, you must establish internal policies and procedures to mitigate the risks of a data breach. Some mitigation controls that help protect sensitive information include:
- Multi-factor authentication (MFA) prevents access to resources until a user proves their identity using a combination of methods, such as entering a password plus a code provided via text message.
- Access controls controls user access to data through permissions.
- Network security prevents unauthorized access at the network level.
- Encryption involves using mathematical algorithms to “scramble” data to make it unusable even if someone gains unauthorized access.
- Monitoring activity looks for abnormal activity across systems and networks that may indicate a data breach.
- Incident response puts into action a set of people, processes, and technologies to investigate, respond to, and restore systems when unauthorized access occurs.
It may also be useful to think of data security in terms of stages, which have evolved over time with advancing technology. The Privacy Engineer’s Manifesto1identifies these stages as:
- Firewalls. In the early days of computing, firewalls prevented unauthorized access to or from a private network.
- Net. With the rise of the internet, concerns around spam and identity theft gave rise to early online privacy measures.
- Extranet. Portals enabled access and self-service features to the few, and firewalls grew more porous as the web transformed from pure publishing to a collaborative, interactive platform.
- Access. Social networks, blogs, and smartphones democratized content sharing — and increased privacy concerns and corresponding regulations.
- Intelligence. Information is tailored to the individual. Examples include driving apps that provide real-time conditions (and updates based on traffic) and shopping apps that provide local price comparisons.
Next-generation approaches to data privacy and security will further integrate data intelligence into processes to ensure access is tailored to user permissions.
What Are the Differences Between Data Privacy and Data Security?
Despite their differences, data privacy and data security are interlinked. IT leaders generally view data privacy as a sub-component of data security. And more recently, data governance leaders are making data security a central focus of their responsibilities.
To illustrate the subtle differences between data privacy and data security, consider a bank vault. A bank vault has both security and privacy measures in place to protect the contents within.
Security features thwarts external threats. Guards, an alarm system, and the vault’s lock represent security features.
Privacy measures prevent internal threats. Those may include protocols that limit employees’ access to the vault or knowledge of its contents. Privacy measures can also mitigate external threats, so if personal information is stolen, its value is restricted by anonymization.
Taking a wider view, the primary differences between data privacy and data security are:
- What you protect data from: Data security focuses on unauthorized access to data no matter who the unauthorized party is. Data privacy ensures that sensitive data is used legally, so that personal information is processed in a way that is authorized, fair and legitimate. This ensures information privacy, so that the owner of sensitive data provides consent to use the information while maintaining compliance with the practices that protect it during processing, storage, and transmission.
- Who protects the data: Data security focuses on using tools and technologies, like firewalls, user authentication, and network limitations. Data privacy focuses on individuals within the organization who are responsible for protecting data while also informing data subjects about the types of data that will be collected, the purpose of collection, and whether or not data should be shared with third parties.
- How they fit together: Data security is a prerequisite for data privacy because you need to keep unauthorized users away from that data to prevent a malicious attack. Data privacy adds an extra layer of protection by ensuring that people authorized to access systems use data responsibly.
What Are the Similarities Between Data Privacy and Data Security?
While they have several significant differences, the fact that data security is fundamental to data privacy also means that they have many similarities. In fact, most privacy laws include data security protections and best practices. If you do business in a region or industry, or manage a particular type of data, then you must comply with those laws.
Compliance risk is a commonality between data security and data privacy. Whether you’re a retailer, healthcare provider, or financial institution, you have to follow your industry’s compliance mandates or else risk fines and penalties. Compliance regulations mandate both data security and privacy protocols that organizations must follow, and include:
- General Data Protection Regulation (GDPR): Created the international standard for protecting European Union consumers’ privacy by defining who needs to be protected (data subjects), types of protected personal data, and how to use data security technologies as part of data privacy initiatives.
- California Privacy Rights Act (CPRA): Updated the California Consumer Privacy Act (CCPA) to incorporate technical security controls as part of protecting consumer PII.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA): Established the Security Rule and Privacy Rule for managing Protected Health Information (PHI), creating an overlap between the administrative controls used for both.
- Payment Card Industry Data Security Standard (PCI DSS): Established detailed steps for protecting cardholder data that include network security, encryption, and access controls.
- ISO 27701: Expands ISO 27001 to cover privacy controls establishing Privacy Information Management enhancing the existing Information Security Management System (ISMS).
- NIST 800-5 Rev. 5: Provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks.
- SOC 2: Defined by the American Institute of Certified Public Accountants (AICPA), System and Organization Controls (SOC) 2 covers Privacy as one of its five Trust Service Principles.
In fact, you might need to comply with multiple mandates. A doctor’s office that collects payments by credit card needs to comply with both HIPAA and PCI-DSS.
Data tokenization helps manage both data security and privacy by pseudonymizing sensitive information. Basically, this means processing information in a way that requires additional context to identify the data subject.
For example, many companies that need to comply with PCI DSS will use asterisks to replace part of a credit card number. This removes the information for data-at-rest and helps you limit user visibility.
Often, data tokenization is combined with data encryption to create a complete data security and data privacy compliance posture.
The Role of Data Governance in Data Privacy and Data Security
According to the Data Governance Institute, data governance is “a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models, which describe who can take what actions with what information, and when, under what circumstances, using what methods.” An organization’s approach to privacy is defined by data governance, EG, how information is gathered, managed, and used. In this way, data governance is fundamental to your data security and privacy initiatives.
A compliance-focused governance program typically arises due to compliance concerns.2These may stem from privacy, security, or access management & permissions concerns, or a need to adhere to contractual, internal, or regulatory requirements. Often, a code for this sort of project will make data stewards accountable for protecting sensitive data, and require that they:
- Assess risk and creat controls to manage types of risk
- Enforce compliance requirements, from regulatory to architectural and contractual
- Assign duties, clarify stakeholders, and set a decision-rights frameworks
The Business Case for Data Privacy and Data Security
Risk prevention and mitigation for both data privacy and security offer several business benefits. When you reduce risks, you limit the financial loss that compliance violations can cause while increasing customers’ trust in your business. On the data security side, you also protect your business from incurring costs from activities, like notifying customers that a breach occurred or rebuilding your brand after a data breach is made public.
Data governance with a data catalog provides a framework to manage data security and privacy at scale. In short, you need to know all the sensitive data that you store, process, and transmit, what technologies use it, who accesses it, and what access they have. With a data catalog, you’re able to effectively manage your data privacy and security compliance.
How to Ensure Data Security and Data Privacy with Alation
Key data governance features support data privacy and security while mitigating risk. Alation extracts data to catalog your entire data environment. This creates a single location with a holistic view of all data. This makes it possible to apply the principles of data governance and privacy to all enterprise data. It does this with a suite of key features, which include:
- Classification and tagging. Stewards can organize data by domain, and tag sensitive or private data accordingly. Masking features can then conceal PII from data users who do not have access permissions.
- Policy center. Governance leaders can create policies that guide appropriate usage of private or sensitive data. A data catalog will surface those policies to enforce secure, compliant usage of that data at point of consumption.
- Stewardship workbench. This feature empowers stewards to curate data at scale with help from AI and ML. With this workbench, stewards can apply privacy settings across multiple datasets simultaneously.
With Alation Data Privacy and Compliance, policies are transparently managed to protect sensitive data. Business users can create definitions of data types and categorize them according to compliance requirements. This allows you to apply data privacy controls, like assigning responsibility or data masking. Alation also allows you to leverage autonomous data stewardship, giving your teams the ability to use data without creating data security and privacy risks. With data risk audit and reporting capabilities, Alation gives you real-time visibility into compliance by tracking data usage to monitor for policy violations that may lead to potential fines and penalties.
Alation also boasts rigorous privacy and security certifications for our cloud platform, so your cloud migration is secure and protected.
For more information, request a free demo to learn how the Alation data catalog supports your organization’s data privacy and security initiatives.
1. Dennedy, Michelle, et al. The Privacy Engineer’s Manifesto Getting from Policy to Code to QA to Value. Apress, 2014