Top
Image credit: Unsplash

Data Privacy VS Data Security – Understanding the difference might save your company a lot of money

January 29, 2021

Category:

Almost three years after the General Data Protection Regulation (GDPR) came into force and one year after CCPA came into effect, many employees and business managers still use the terms data protection and data security interchangeably. While they share some similarities, they entail distinct processes and outcomes. Businesses that fail to understand the differences between data privacy and data security can put their brands in jeopardy, break privacy laws, and finally lose a lot of money. Here are the key differences. 

What Is Data Privacy?

Data privacy is all about defining what personal information you should and shouldn’t gather from your users (with their permission, of course). Any organization must ensure that information is not accessed by unauthorized parties and that individuals retain control over their personally identifiable information (PII). 

Data privacy is primarily concerned with the procedures and policies that govern the collection, storage, and use of data. Not only personal data is included in the process, but also corporate information, such as trade secrets, personnel, and various internal processes. Ensuring data privacy requires more than a particular set of techniques. It involves training every employee with access to sensitive data on the approved data protection processes. 

To be compliant with the regulations, organizations implement particular procedures that spell out how sensitive data is collected, stored, and used by the company and its employees. All workers must realize the importance of privacy and prevent improper exposure of data and policy breaches.

The most simple way to understand Data Privacy is to know the main question data privacy laws address:  “How and why do you collect data?”.

What Is Data Security?

After establishing how and why you collect data, you now have to protect it. Most often, protecting the data means protecting the entire enterprise IT infrastructure. Data Privacy involves using various strategies to protect information from cyberattacks, breaches, and accidental or intentional data loss.

Key steps for any business to meet the legal obligations of possessing sensitive data include activity monitoring (detection of unauthorized devices), network security, physical and logical access controls (multi-factor authentication), encryption of data, resilient data storage technologies, data masking, and the elimination of sensitive data that is no longer needed. Regular backups and tested disaster recovery plans are also a big part of data security.

Information security analysts warn that it’s possible to have excellent data privacy standards but fail on data security. For example, you still may not be in legal compliance if you have strong data collection policies, but you are not protecting that data with adequate security measures.

Data Privacy VS Data Security – Real-life Examples

Organizations that collect or manage data should never take the security of that data lightly. To better understand how failing to comply with regulations might be a disaster for your business, let’s look at some of the fines and penalties which data protection authorities within the EU have imposed under the EU General Data Protection Regulation (GDPR, DSGVO).

In October 2020, The Hamburg Commissioner for Data Protection and Freedom of Information (BfDI) issued a €35.3 ($41.5) million fine to Swedish retail Hennes & Mauritz– H&M, for GDPR violations. The issue became public after a technical error made the data on the company’s network drive accessible to everyone in the company for a few hours. The information ranged from details about illnesses and diagnoses, to what they had done on holiday, specific family issues, and religious beliefs.

On January 15, 2020, Italy’s DPA Garante issued a €27.8 million GDPR fine to local telecommunications operator TIM. The list of violations is quite extensive. They have contacted non-customers multiple times (certain numbers over 150 times per month) without proper consent or other legal basis. The results of the investigation revealed four main violations: lack of proper consent, improper management of consent lists, excessive data retention, data breaches. 

Both TIM and H&M were fined for not complying with the data privacy laws. Let’s now look at two major data breaches from 2020. 

In January, Microsoft disclosed a data breach that took place in December 2019. In a blog post, the company said a change made to the database’s network security group on December 5, 2019, contained misconfigured security rules that enabled exposure of the data. The servers contained 250 million entries, with information such as email addresses, IP addresses, and support case details.

That same month, security researcher Jeremiah Fowler discovered a database online that contained what he said was “a massive amount of records”. The database belonged to cosmetics giant Estée Lauder and contained a total of 440,336,852 records. In a statement, the company noted that the database was from an “education platform,” which did not contain consumer data. No evidence was found of unauthorized use of the data.

Handling Data Under CCPA, GDPR, and HIPAA

Data privacy laws like CCPA, GDPR, and HIPAA impose a broad set of privacy standards and regulatory compliance requirements on companies. Companies face penalties or even criminal charges for failing to safeguard the privacy of PII and other sensitive personal information. 

Under GDPR compliance, companies need to use the same level of data security for both stored personally identifiable information, such as social security numbers, as well as cookies. GDPR applies to EU member states and to anyone that has dealings with EU citizens.

The California Consumer Privacy Act (CCPA) took effect in January 2020. The reasoning behind this bill was to protect consumer privacy and data. Essentially, it gives people the right to determine how their data is stored and shared.

The Health Insurance Portability and Accountability Act (HIPAA) is concerned with protecting the sensitive health information of patients across the U.S.. Under this regulation, companies are obliged to protect the vast amount of available healthcare data, such as patients’ dates of birth, their prescribed medication, and X-ray images. 

Data breaches are no longer just embarrassing or inconvenient for organizations, but can also prove very expensive. Data privacy and data security are not the same thing. They are complementary concepts, and executives must take both into account when approaching data.