Understanding their differences is not just a matter of semantic clarification. One Pew Research survey characterizes Americans as “concerned, confused, and feeling lack of control” over their perception of data privacy and security. Majority of the respondents say that they understand little or nothing about data privacy laws and regulations. Also, 8 in every 10 Americans think they have little or no control over the data companies and government authorities collect from them.
Most people are unable to quantify or specify which particular instances qualify as uncontrollable data privacy or security violations against them. They tend to simply say that they feel that their privacy or security is under attack without a clear grasp of what data privacy and security violations actually mean.
A better understanding of data security and privacy helps in setting the right policies in organizations. Likewise, it is useful to train employees to become more responsible in the way they deal with data.
The main differences
Data privacy is usually associated with personal, consumer, or public information, whereas data security is generally about securing the sensitive information of an organization or individual. It is a misconception that one is more stringent and crucial than the other. It is inaccurate to say that the consequences of a data privacy breach are not as serious as those of a data security attack and vice versa.
Both share the same need to meticulously follow certain regulations, protocols, and standards. They may have different sets of protocols and standards, but they ultimately need to ensure the protection of certain types of data in certain settings. Cybersecurity solutions like automated BAS penetration testing that also operationalize the MITRE ATT&CK framework are highly effective in ensuring data security as well as data privacy unless the organization running the pen testing defies privacy expectations.
The differences between the two lie in their scope and impact, which can be summed up as follows:
- A data privacy failure exposes information to unintended parties. A data security breach does not only cause the exposure of confidential or delicate information; it can also result in stolen, corrupted, deleted, or modified data.
- A data security failure can be remedied by backup copies of the destroyed data, but there is no way to reverse the effects of exposed private information. News of a company’s customer data leak will forever tarnish its reputation.
- Consumers partly have a say in their data privacy. There are situations where they may not reveal information about themselves or opt-out of internet activity trackers. Data security is solely the obligation of a company that collects information including data from customers.
- For cybersecurity teams, data security is the priority. As far as laws are concerned, data privacy is more emphasized (See “Laws setting the distinction” below)
- Data can be secure but its privacy may not be guaranteed by the organization or company that has custody of it. (See “When privacy does not guarantee privacy” below for elaboration).
Laws setting the distinctions
IT departments or the cybersecurity experts in organizations are all about the general idea of data security. Their goal is always to make sure that the information in their custody is not accessible to non-parties or unintended users of the data. However, if existing laws are to become the basis, the focus turns to data privacy.
This seeming confusion stems from the fact that existing laws in different parts of the world focus on the idea of privacy. There is no significant legislation that dictates organizations and individuals on how they should secure all of their data. However, there are many laws that emphasize the importance of privacy.
The UK Data Protection Act, Australia’s Privacy Act, California Consumer Privacy Act (CCPA), Japan’s APPI Amendment of 2017, Russia’s Federal Law on Personal Data 2006, and the General Data Protection Regulation (GDPR) of the European Union, among many others, establish rules on how to protect private information. There are no laws similar to these that impose strict guidelines on how organizations should protect their data in general.
“The difference between data privacy and data security is the difference between protecting someone’s personal information and the security measures you have in place to protect all of your business’ information,” says Potomac Law Cybersecurity Partner Greg Ewing as quoted in an article on ZDNet.
From a legal perspective, it would be more logical for businesses and organizations to focus on data privacy as laws on this subject come with heavy penalties for violations. The EU’s GDPR, for example, can impose billions of dollars in penalties for data privacy violations that involve the personally identifiable information of the citizens of the European Union.
Organizations can be sued for data privacy violations even before breaches happen or damages are incurred. The failure to have the legally prescribed precautions or protection measures in place can be enough grounds for a suit.
When security does not guarantee privacy
Joshua Kail, a communications consultant for Cambridge Analytica before the company shut down in 2018, said that Facebook “basically handed the data over (to Cambridge Analytica) and then it was used in an inappropriate way.” Again, the data was secure, but the custodian of the data decided to allow unintended users to have access to it.
When privacy does not guarantee security
All entities or organizations that maintain an online presence are already required to present their respective privacy terms and conditions. Most of them comply with existing data privacy laws. However, they still end up becoming victims of security compromises that lead to the unauthorized disclosure of private data to the public.
The secret-sharing app Whisper, for example, exposed 900 million user records including personally identifiable information, posts, post metadata, confessions, and locations. The app that is supposedly built to be one of the most private sites with its promise of anonymity faced an embarrassing predicament that sent its reputation crashing.
Simply put, data privacy is also a form of data security but with a focus on securing the data of people or entities as collected and kept by a company or organization. Data security is a broader term that is essentially about protecting data from unauthorized access.
Does data privacy equate to data security? Certainly not. A reputation of excellent privacy policies and law-abiding precautionary measures does not always translate to actual data security. Conversely, secure data is not always private.
The overlaps between data security and privacy may stir some confusion, which should be promptly and accurately addressed to prevent the mistakes of assuming that an organization’s data is already private because it is secure, or it is secure because it has been made private.