Data Security vs Data Privacy: What's the Difference?
Table of Contents
Data Security vs Data Privacy
The main difference between data security and data privacy is that data security is the process of securing personally identifiable data from malicious entities, such as hackers and cybercriminals. Data privacy, on the other hand, refers to communicating your organization's data handling practices to an external audience, including details on how data is secured and what rights customers have to their information.
But even with all the work in the data privacy world, there is some confusion about the concepts of “data privacy” and “data security.” Sometimes these terms are used interchangeably, and Europe’s use of the term “data protection” in the name of its regulation isn’t helping.
It turns out that “data security” and “data privacy” are related but distinct ideas. When you plan IT budgets, staffing, and activities, it’s helpful to understand the distinction and the circumstances under which you need to be concerned about each.
In this article we discuss these concepts, their similarities and differences, and how they are (and are not) related to each other.
Data Security
The concept of data security involves how organizations protect data in their possession from unauthorized access, use, and distribution. Data security covers any kind of data, including that of customers and website visitors.
Data security is a broad topic, but the main ideas boil down to these:
- Access control: Control of physical and logical access to hardware, applications, and network resources related to data
- Authentication: Assurance that users who attempt to gain access to data are who they say they are
- Authorization: Control of what data authorized users can access and the tasks they can perform with it
- “Data at rest” protection: How data is secured when it is stored, whether on disk, tape, memory, or some other medium
- “Data in transit” protection: How data is secured while it is being transferred, both within an organization and between an organization and authorized outside entities
- Activity monitoring: How user activity related to data is monitored for signs of suspicious behavior
- Breach detection and response: How data breaches (that is, access by unauthorized entities) are detected and what organizations do in response to limit the damage
Data security is one component of the broader idea of cybersecurity, which is intended to prevent both data breaches and other cyberattacks, such as phishing, malware, ransomware, and distributed denial-of-service attacks.
Modern data security and cybersecurity in general rely on automated tools, but the tools can go only so far. The last line of defense for most organizations is the people, which is why training and vigilance are so important to keep data secure.
Data Privacy
The idea of data privacy is related to what you can and cannot do with data in your possession regarding other people—customers, suppliers, and other external entities, collectively known as data subjects in many data privacy regulations. In essence, rules and regulations around data privacy outline your responsibilities as a custodian of that data.
In the past, few people worried about data privacy because it was difficult to obtain useful information about people and to share it. There was little beyond names, addresses, and phone numbers that was commonly shared, and the impact for most people was limited to additional junk mail or telemarketer calls.
The Rise of Data Privacy
Then, a couple of things happened. First, enterprising criminals discovered that it was easy to steal people’s identities to open credit card accounts and obtain loans, in large part because many people did not protect their credit card numbers, Social Security numbers (SSNs), and other data that could be used against them. SSNs were used as identifiers for all kinds of things, from college student IDs to health insurance, and credit card numbers and expiration dates were printed in full on receipts.
The other thing that happened was the internet, which made it much easier for both criminals and legitimate businesses to collect, store, and share rich sets of data about website visitors. Identity theft became more common, and some people found it a bit creepy that they now saw advertisements tailored to them on the basis of their Google searches.
In response, companies started to make changes to enhance data privacy. It is no longer legal in the U.S. to use SSNs as ID numbers for most applications outside the finance industry. Credit card and ATM receipts, and in many cases monthly statements, no longer show full account numbers and expiration dates. And governments started to pass data privacy laws.
Up until a few years ago, organizations that collected and used data operated on the assumption that any data you gave them, knowingly or not, was their property to do with as they wished. This included selling it to third parties. The new data privacy laws turned this assumption on its head. They said that data about your self belongs to you, and you get to decide what others can do with it.
GDPR’s Data Privacy Rights
The GDPR, which serves as a model for other data privacy laws and regulations around the world, recognizes and enforces eight rights related to the use of data about you by other entities:
- The right to be informed about which data about you is collected and for what purposes
- The right to request access to data that other entities have about you
- The right to request corrections to data about you
- The right to “be forgotten,” that is, the right to request that an organization delete information they collected about you (and that the organization request the same deletion from any entity they shared the data with)
- The right to limit what an organization may do with data about you
- The right to obtain your personal data from one entity and transfer it to another entity (known as data portability)
- The right to raise objections about how an entity uses data about you
- The right to know how an entity’s automated decision systems made their decisions (for example, automated credit approval)
This set of rights introduced major new responsibilities for entities that collect, store, use, and share data about European data subjects. Violators can find themselves restricted from doing business in this important global market and other markets subject to similar regulations.
Regulatory Compliance for Data Privacy
Because of the threat of fines and other sanctions, depending on the regulation and jurisdiction, data privacy compliance has become a great concern for many organizations, even smaller ones for whom IT is not a major focus.
Data privacy compliance must now complete several tasks that didn’t concern most organizations until just a few years ago, such as:
- Draw up an easy-to-understand, plain-language privacy policy (sometimes in multiple languages); make it available to each data subject; and notify data subjects when the policy changes
- Provide a mechanism to enable data subjects to provide explicit consent to have their data collected and used, and to withdraw that consent at any time in the future
- Provide mechanisms by which data subjects can access and inspect their data, request corrections, and request to be “forgotten”
- Provide a way, when automated decision systems are involved, to explain how those systems arrived at their decisions
This is only a partial list of new responsibilities that organizations have with respect to data privacy laws. The full list is beyond the scope of this article, but suffice it to say that compliance is a big deal these days.
👉 Read about the benefits of data privacy
Data Security vs. Data Privacy
As we've outlined, data security and data privacy are two similar but distinct topics. Data security is the process to protect data from unauthorized access, and data privacy is everything you do to respect the rights of data subjects.
You can have data security without data privacy. You needn't worry about data privacy if you possess no data related to external data subjects. No law requires you to keep your organization’s data secure.
The opposite is not true: You cannot have data privacy without data security. In most jurisdictions, you are compelled to keep that data secure if you possess data of external data subjects. Otherwise, you have no way to prevent its misuse in violation of one or more data subject rights. Suppose a cybercriminal breaches your data security apparatus and makes off with your data subjects’ data, (a type of data breach known as a privacy breach). In that case, your organization may face severe penalties.
For this reason, IT resources tasked with data security must, in most cases, be knowledgeable about data privacy requirements and the role of data security in data privacy compliance.
The Role of Enzuzo
How can Enzuzo help your data privacy or data security requirements?
Enzuzo builds world-class data privacy compliance software. Our automation tools can help automate and streamline your data privacy compliance tasks, such as:
- Privacy policy management
- Create and manage cookie consent banners
- Data subject consent tracking and management
- Management and automatic fulfillment of data requests
- Scan ongoing website compliance
In addition, Enzuzo can provide a data privacy risk assessment to determine your compliance risk. For more information or to schedule a demo, contact Enzuzo today.
Osman Husain
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.