The terms “privacy” and “cybersecurity” are closely intertwined but they aren’t the same. Your organization needs to excel at both privacy and security to maintain customer trust and comply with regulatory requirements. Understanding how these concepts differ and how they overlap impacts how you structure internal operations, collaborate across teams, and measure success.
While it’s possible to have security without privacy, it’s impossible to have privacy without security. Why is that?
Security is about safeguarding data and systems from unauthorized access.
The goal of cybersecurity is to keep external threats and malicious insiders from breaching critical systems that hold sensitive information, including personal data and corporate intellectual property. In addition to keeping information confidential, cybersecurity must also maintain system availability and data integrity.
To mitigate the risk of a cyber-attack, cybersecurity teams implement a variety of security tests and controls. For example, encryption, multi-factor authentication, and password protection solutions determine who can access what, including IoT systems that share information without human intervention. Security tools such as firewalls, virus scans, and data loss prevention software lower the risk of cyber-attack by monitoring IT systems and identifying and blocking unexpected behavior.
Let’s say all users accessing your customer database are “authorized” and their behavior is “expected.” Your IT systems likely meet the security test. But, do your operations meet the privacy test? Not necessarily. Anyone with valid credentials could view and manipulate a customer’s personal data or use it for a purpose for which consent has not been received, and that customer may never know.
Privacy is about safeguarding information tied to personal identity.
The concept of privacy is both more granular and broader than security.
How is it more granular? Importantly, privacy relates specifically to personal information, including any information related to an identified or an identifiable individual. Phone numbers, email addresses, financial and healthcare information, etc. are all personal information when they are tied to a unique individual. Privacy laws such as the General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) are designed to protect customers’ personal information.
Why broader? When you collect or process personal information, you take on an obligation not only to keep it safe from cyber-attack, but also to treat the information you collect responsibly and fairly and in line with the consent provided by the consumer.
Individuals have the right to keep their own information confidential. If they do share information, they have the right to expect it will be kept private and used only for the purpose they have authorized. Their information should never be accessed, shared or sold without their knowledge.
To meet privacy obligations, you need to ask the following questions:
To answer these questions privacy professionals are responsible for knowing answers to four fundamental privacy pillars:
A privacy program can’t address these four pillars without the support of a security program. While the privacy team typically sets the requirements for data management, the security team typically selects and runs the actual IT systems and tools that manage data storage, access, sharing, and reporting.
Improving collaboration and communication between privacy and security
Within an organization, there are often two distinct roles: a Chief Information Security Officer (CISO), who typically has an information technology background, and a Chief Privacy Officer (CPO), often an expert on legal and compliance issues. Although their areas of expertise and approaches may be different, these leaders and their teams must build a cooperative relationship to be successful. ¬
The most effective and efficient privacy and security teams set a foundation for collaboration by putting a few core tenants in place:
Both privacy and security are critical for an organization’s success. Let’s face it; their fates are intertwined. If a cyber attacker does circumvent security controls, he or she may access and expose personal data, triggering numerous privacy violations and destroying customer trust. Building a privacy operation based on close collaboration with IT security teams is an essential step in the privacy process.
Click here to learn more about WireWheel’s unique approach to privacy.