Articles

Data Privacy vs Data Security in Data Protection

Written by Rachael Ormiston | August 14, 2023

As your company’s privacy team works to protect customers' personal data, another key component to keep at the top of your mind is securing that sensitive data effectively to achieve compliance. But when it comes to data privacy vs data security, are you clear on the difference?

The good news is that many aspects of privacy and security share commonalities and goals, leading to a natural, working symbiosis. However, the potentially frustrating part is that privacy regulations like the GDPR or CPRA don’t provide a lot of detail about security implementation. 

Essentially, while regulations ask organizations to develop “reasonable security” in their privacy programs, details can be vague about how to achieve that.

As the National Cyber Security Centre puts it, “The [GDPR] does not mandate a specific set of cyber security measures, but rather expects you to take ‘appropriate’ action,” though it doesn’t explicitly say how.   

While this can be challenging to operationalize, the vagueness is deliberate. Given flexibility for technological advances and threat landscape changes, the lack of prescription is actually beneficial for organizations. 

In this way, they can lean on other sources for guidance, like security industry frameworks, to determine what’s reasonable based on risk and data sensitivity, or it can even be guidance from organizations like the European Data Protection Board.  

So, with data privacy and data security sharing responsibilities—yet representing distinctly different fields—they can often feel synonymous.   

Therefore, it helps to know the difference between privacy and security (and why both are equally important). And, while it’s true the two can overlap, they still perform different functions for your company’s overall data protection: Privacy gives users the right to choose how you access and use their data, and security protects the data once it’s in your possession.  

The Difference Between Data Privacy vs Data Security

Imagine for a moment that both “privacy” and “security” are inquisitive toddlers (we’re sure you know a few).  

Privacy is the tyke who’s always asking “why”: Why are we collecting this data? Why do we want to use it, and why are we keeping it for X amount of time? Why are we storing it, and why are we sharing it? 

This toddler’s questions revolve around how your company’s data is collected, processed, and how to ensure data privacy concerns are addressed. In a work setting, privacy teams build the “why” by considering the regulatory environment.  

And security is the toddler who’s forever wondering how things work: “Yes, but how does it happen? How are we keeping data secure, and how are we keeping encryption in place?” 

This toddler’s questions help decide how secure your collected data should be based on its type, level of privacy, etc. In the world of work, they are thinking about how to keep data secure depending on the “whys” that privacy set in place.  

Why does this matter? Because, in your organization, both kiddos should be playing in the sandbox together. 

Not only do they hold checks and balances on each other, but they’re also able to proactively develop a risk mitigation plan if a breach should occur. The more privacy and security work together, the stronger your collective privacy program will be.

Having the “why” and the “how” work together can help build trust, which is the ultimate name of the game.

Data Security and Privacy For Data Protection

Data security and data privacy work together to ensure that the data you collect is not only protected but also controlled. Essentially, privacy determines the sensitivity and classification of data, while security sets appropriate access controls.  

More often than not, the two teams aren’t putting out fires but preventing them. This might look like collaborating on vendor reviews, sharing training, mapping data flows, and drafting policies together.

However, in the case of a breach at your company, the relationship between privacy and security is put to the test. Your security team—whether internal or external—will need to work with your privacy team to determine the impact of the data loss (and whether notifications may be necessary). 

This is when you discover whether privacy and security have been playing in the sandbox all along, proactively developing a robust solution in case of a data breach. And, if they have, the mitigation process becomes that much smoother.  

But what does that relationship look like?   

Essentially, if data privacy (the “why”) is executed mindfully, then data security (the “how”) will be more thoughtful, too. At its core, a solid security plan really comes down to how well you understand the data you’re gathering, the component of data involved, and why. 

Collecting only what’s needed, as well as having data labeling and classifications, contributes to the technical, organizational, and administrative mechanisms that can protect data.

While security is a distinct field, having upstream checks in the “why” of data collection and processing can help the downstream process of keeping it secure. 

Thus, in the event of a breach, these two teams are not only speaking to each other, but they have been for a while.  

Because these two teams will have established a solid rapport (and plan) in advance, this breach mitigation should go smoothly—leaving data far more secure than if no preventative sandbox play-dates occurred.

Navigating Regulatory Requirements: A Closer Look at GDPR and CPRA

When it comes to data privacy and security, regulatory frameworks like the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA) are often the guiding lights. 

However, understanding how these regulations specifically influence your organization’s privacy and security practices is essential to ensuring compliance and building a robust data protection strategy.

GDPR: Striking a Balance Between Flexibility and Accountability

The GDPR, which serves as a global benchmark for privacy regulations, is intentionally broad in its prescriptions, offering organizations the flexibility to adopt security measures that best suit their specific context. 

However, this flexibility comes with a significant responsibility: the onus is on organizations to determine what constitutes "appropriate" security based on the nature of the data they handle and the associated risks.

For example, Article 32 of this privacy law requires organizations to implement "appropriate technical and organizational measures" to ensure a level of security appropriate to the risk. 

This includes, but is not limited to, ensuring data protection through pseudonymization, encrypting data, and maintaining the ability to restore data availability and access in the event of a breach.

Yet, what is considered "appropriate" is left to the organization's discretion, taking into account the state of the art, implementation costs, and the potential impact on data subjects. This means that while the GDPR provides a framework, it’s up to each organization to fill in the details, often by leaning on industry standards and best practices.

CPRA: Enhancing Transparency and Consumer Rights

The CPRA, building on its predecessor, the California Consumer Privacy Act (CCPA), introduces stricter requirements around consumer rights and information security. 

One of the key enhancements under CPRA is the focus on data minimization and the implementation of reasonable security procedures. While the CPRA, like the GDPR, doesn't dictate specific security measures to protect personal data, it emphasizes the importance of aligning data security practices with the sensitivity of the information being processed.

Under CPRA, businesses must conduct regular risk assessments, especially when processing sensitive personal information. 

These assessments should not only evaluate the effectiveness of existing security controls but also ensure that data collection and processing activities adhere to the principles of purpose limitation and data minimization. 

Essentially, CPRA pushes organizations to think critically about whether the data they collect is necessary and whether they are doing everything within reason to protect it.

Aligning Practices: The Role of Industry Frameworks

Given the broad nature of both GDPR and CPRA, organizations often turn to established data security frameworks—such as ISO/IEC 27001, NIST Cybersecurity Framework, or CIS Controls—to help operationalize compliance. 

These frameworks provide a structured approach to implementing security measures that can satisfy regulatory requirements while also addressing specific organizational needs.

By integrating these frameworks into your privacy and security programs, you can ensure that your practices are compliant and resilient against evolving threats. This proactive approach not only helps in meeting regulatory obligations but also fosters trust among your customers, who can feel confident that their data is being handled with the utmost care.

For more information on how to interpret current privacy regulations—and what they require of your company’s data security plan—find a trustworthy partner to help you navigate it all. 

Osano has a number of free resources to explore. And when you’re ready to take the next step, we provide a range of solutions to help you meet GDPR and CPRA requirements.