Yes! There is a difference between data security and data privacy. To understand or to, at least, see the difference between the two, let’s define each one first. Data security is defined as:
Data security refers to ways organizations protect their data, including technical safeguards that help ensure data confidentiality, integrity and availability.
Now, let’s define data privacy.
Data privacy revolves around the use and governance of personal data. This can include everything from personally identifiable information (PII) to financial information, to information about a person’s career, education, health, family or criminal history.
See the difference?
From these definitions, it’s clear that these two terms—“data security” and “data privacy”—should not be used interchangeably. While they are certainly related and are both extremely important, they should be addressed in different, but integrated ways.
Security expert, Cindy Compert of CTO Data Security and Privacy for IBM Security, explains the intricacies of both terms.
“We like to say you can have security without privacy, but you can’t have privacy without security,” says Cindy Compert, CTO Data Security and Privacy for IBM Security. “Consider data that you consider to be solidly secured: It’s encrypted, access is restricted, and you have put in place multiple overlapping monitoring systems. In all meaningful senses of the word, the data is secure. But when you add privacy into the mix, it becomes a little more convoluted. For example, while the customer service agent may be provisioned to access your account details after going over some security questions, privacy won’t allow the same individual to check the account of a family member, even though they have access privileges to that information.”
These days, data privacy has become more important and complex.
Increasingly stringent regulations in the United States and abroad have put data privacy concerns and compliance front-and-center for most companies. For example, privacy regulations in laws like the Health Insurance Portability and Accountability Act (HIPAA) and the Children’s Online Privacy Protection Rule (COPPA) give customers the right to see all data collected about them and allow them to request deletion of that data. Some states, like California, have their own privacy laws.
The more recent General Data Protection Regulation (GDPR) from the European Union is even broader, defining a privacy violation as the illegal retrieval or disclosure of “any information relating to an identified or identifiable natural person.” That information can include posts on social media, email addresses, bank details, photos and IP addresses.
The set of tools and approaches for both data privacy and data security are quite different as well.
Popular types of data privacy tools include browser extensions and add-ons, password managers, private browsers and email services, encrypted messaging, private search engines, web proxies, file encryption software, and ad and tracker blockers. Data security tools include identity and access management, data loss prevention (DLP), anti-malware and anti-virus, security information and event management (SIEM) and data masking software.
It’s really important to know the difference between the two. To start with, they won’t be used interchangeably. Seriously, knowing the difference between the two terms is critical in this age of Big Data.
“The companies that are doing it right have a unified program, with an agreed-upon classification framework, along with an assessment process and controls based on the sensitivity of the data,” Compert says.
One example of a company that’s doing it right is the Hard Drive Recovery Group. They understand the importance of protecting sensitive data in damaged hard drives. They boast of their very own data recovery process that offers the highest level of security.