New data privacy regulations like GDPR and the California Consumer Protection Act of 2018 (CCPA) are forcing many organizations to factor privacy into their data security programs like never before. Do these new privacy mandates effectively merge the security and privacy disciplines—or can they remain siloed?
Data Security vs. Data Privacy
Let’s start answering that question by defining what the two terms mean, as they are often used interchangeably. Data security is about protecting data from loss or theft. Data privacy concerns how and why data is collected, used, shared, sold and managed. Another way to contrast the two is that data security is seen as an organization’s responsibility, while privacy is an individual right to be safe from unwanted attention and observation.
Security and privacy are traditionally separate in terms of corporate roles. Security leaders like Chief Information Security Officers (CISOs) usually have technology backgrounds and focus on assessing and mitigating security risks. Privacy leaders (e.g., Chief Privacy Officers) are more often legal or compliance professionals, who focus on how laws and regulations impact how an organization collects, uses, discloses, retains and destroys peoples’ personal data.
At the same time, privacy and security functions clearly interrelate. Controls that protect networks and data in general also need to protect employee and customer privacy. Conversely, many data breaches have major privacy implications for the individuals whose personal data is stolen.
It’s hard to imagine any way to uphold privacy without security safeguards in place. But it’s certainly possible to have security without privacy. For example, even highly effective security tools won’t protect privacy if employees or vendors mismanage personal data.
Good data protection doesn’t necessarily equate to compliance with privacy laws. To enforce privacy, you need to know what sensitive data you have, where it resides and what business processes access it. Many organizations don’t have this information at their fingertips today—and getting a handle on it is a critical first step toward GDPR or CCPA compliance.
But thinking about security and privacy holistically has the potential to benefit businesses in ways that balance or even outweigh new privacy compliance costs. One benefit could be lower overall cost for privacy-/security-related initiatives through eliminating redundancy. Another would likely be lower overall risk, fewer breaches and privacy-impacting issues, since a holistic focus would raise organizational awareness of both disciplines.
Security Awareness Training
Perhaps the most beneficial way to combine security and privacy would be to add a discussion of privacy issues to security awareness education programs, especially for employees who handle sensitive data. Seeing beyond the data to appreciate its value and the privacy consequences of mishandling it would clarify “why” employees need to understand and follow policy, not just “what” to follow.
The end result… not just a “security culture” but a deeper “privacy culture” that upholds stakeholder trust, reduces data protection risks and confers competitive advantage.
To start a discussion on how to address security and privacy holistically, contact Pivot Point Security.