The terms “privacy” and “security” are sometimes used interchangeably. However, there are some important distinctions between the two concepts, and understanding each is vital if you want your organisation to be as protected as possible against threats.
An effective organisation has both security and privacy, and takes measures to reinforce both. In this guide, we will delve into each concept, the relation between the two, and whose responsibility it is to protect them.
Privacy vs Security
The term “security” is defined as the state of being protected from dangers and threats. Within cyber security, this means all organisational assets (e.g., data) being safe, and the processes, procedures, assets, and tools used to protect them.
In the age of Big Data, there is more data (much of it personal and sensitive) than ever before stored by various organisations, and it is impossible to exist as an organisation without interacting with it to at least some extent (this includes simple day-to-day uses like GPS or Google Maps). This means that responsibility for data security is shared by every individual and organisation that interacts with it.
Privacy is also a responsibility for individuals and organisations. While data often needs to be accessible in order to carry out operations, accessibility must be restricted and limited to only the necessary parties. These necessary parties can change on a regular basis, so accessibility must be enforced accordingly using the relevant controls.
Security controls are used to enforce privacy, and each is important, so they often intertwine.
Differences between data privacy and security
According to the European Data Protection Supervisor, the term “privacy” is defined as “the ability of an individual to be left alone, out of public view, and in control of information about oneself.” What constitutes privacy in general can be subjective.
When it comes to data privacy in the age of Big Data, the responsible use of data and information is essential. Organisations have a responsibility to keep individuals’ personal information safe, and access to it restricted as much as possible.
Security refers to the specific controls put in place to protect personal data from unauthorised access, as well as to protect an organisation’s other assets. This can include operational security controls, such as Clean Desk policies, Mobile Device policies, and Identity and Access Management (IAM) solutions. Technical security controls, such as encryption, antivirus software, firewalls, multi-factor authentication (MFA), are also essential.
All of these factors contribute towards a secure layer and “defence-in-depth”—a cyber security term which refers to using multiple layers of security within an organisation to ensure that there are no weaknesses. Your organisation is only as strong as its weakest asset!
Relationship between data privacy and security
For example, an individual may share personal information with their bank in order to open an account. If the bank sold information to an advertising or marketing company, this would be a breach of privacy (although would be legal if agreed to when the account holder signed up), although the account would still be secure.
If the bank’s database was hacked, information would be accessible for the purposes of identity theft or fraud, and both privacy and security would have been compromised. To maintain both privacy and security, the bank would need robust defences against hacks as well as a policy that forbids sharing of information with third parties.
Security measures to protect privacy
Alongside common cyber security defences like antivirus protection and firewalls, security measures used to protect privacy include:
- Identity and Access Management (IAM): a framework of policies and technologies that authenticate (verify the identity of) users attempting to access information. For example, requiring the input of a password in order to access information is a form of IAM.
- Encryption: the conversion of data into an unrecognisable form or “code”, which can only be decrypted (or “unscrambled”) with a specific password or “key”.
- De-identification: the removal (or transformation) of personal identifiers (e.g., names, addresses, numbers, etc) from information. This can be carried out in a number of ways, including encryption.
- Differential Privacy: the use of only the minimum required information needed to carry out operations. For example, data analysis can be carried out on only the relevant fields of databases.
Being mindful of both security and privacy will benefit your own protection, along with that of your organisation and the data you handle.
How important is data privacy and security?
Data security and privacy are crucial within an organisation. Without both, an organisation is more susceptible to attacks than one that has these controls in place. There are various factors that can impact data privacy and security.
Cyber crime is rising sharply and constantly in England and Wales. Action Fraud, the national reporting centre for fraud and cyber crime, reported a 28% rise in fraud offences since March 2020. With a 57% increase in online shopping and auctions (according to the same report), more and more people are at risk from cyber crime and fraud.
In 2019, a huge 90% of data breaches in the UK were due to human error, according to the UK Information Commissioner's Office. This statistic reinforces the urgent need for all members of an organisation to learn and abide by privacy and security procedures.
According to a study by US IT services firm Cognizant, over half of consumers would stop using a company that uses personal information in a way that they consider irresponsible. Another Cognizant study shows that half of consumers are even willing to pay more for products and services that sufficiently protect their information. When it comes to the handling of personal data, there is serious money to be made—or lost!
Who is responsible for breached or leaked data?
A data breach can happen to any organisation, and the frequency of breaches is increasing across every industry. An organisation must adhere to certain data protection legislation based on their location, industry, and the type of data that they are handling.
Different industries may have more specific legislation to follow. For example, companies may need to comply with UK GDPR or EU GDPR, or even PCI-DSS, depending on their nature.
For example, GDPR requires organisations to prove that they have taken sufficient measures to protect customer data, as well as to notify customers in the event of a data breach. Failing to meet these requirements can result in heavy fines, legal action from customers, or even criminal charges, as well as notifying customers and the relevant data protection agency (e.g. the Information Commissioner's Office in the UK) in the event of a data breach.
Under GDPR, data controllers (individuals or organisations who “own” data, and determine the reasons and methods of collecting it) are primarily responsible for compliance with data protection requirements. However, data processors (individuals or organisations instructed by the data controller to process data, e.g., cloud storage systems and those who own and maintain them) do have some responsibilities, such as implementing sufficient cyber security measures.
While the owners of cloud storage systems must notify data owners (the organisations that use that cloud system to store their customer’s data), the data owners are considered the data controllers, and are otherwise legally responsible for protecting information. Failure to sufficiently restrict access, encrypt data, or other safeguards can increase a data owner’s liability for the results of a data breach.
Ultimately, if an organisation suffers a data breach, all staff can be impacted. All staff members have an obligation to ensure that they are following organisational processes and procedures when managing data. More importantly, the organisation would most likely experience reputational damage, loss of income, and possible legal consequences.
Both privacy and security are crucial for yourself and for your organisation. Handling data is a responsibility which must be taken seriously, with all necessary procedures and policies implemented and relevant legislation followed.
Following security and privacy measures is not just good practice to follow as an employer—it is also critical for employees to follow, and for everybody to follow in daily life outside of the workplace! In the modern world, data is usually encountered daily, and both security and privacy play critical roles in protecting and regulating this data.