The terms “privacy” and “cybersecurity” are closely intertwined but they aren’t the same. Your organization needs to excel at both privacy and security to maintain customer trust and comply with regulatory requirements. Understanding how these concepts differ and how they overlap impacts how you structure internal operations, collaborate across teams, and measure success.
While it’s possible to have security without privacy, it’s impossible to have privacy without security. Why is that?
Security is about safeguarding data and systems from unauthorized access.
The goal of cybersecurity is to keep external threats and malicious insiders from breaching critical systems that hold sensitive information, including personal data and corporate intellectual property. In addition to keeping information confidential, cybersecurity must also maintain system availability and data integrity.
To mitigate the risk of a cyber-attack, cybersecurity teams implement a variety of security tests and controls. For example, encryption, multi-factor authentication, and password protection solutions determine who can access what, including IoT systems that share information without human intervention. Security tools such as firewalls, virus scans, and data loss prevention software lower the risk of cyber-attack by monitoring IT systems and identifying and blocking unexpected behavior.
Let’s say all users accessing your customer database are “authorized” and their behavior is “expected.” Your IT systems likely meet the security test. But, do your operations meet the privacy test? Not necessarily. Anyone with valid credentials could view and manipulate a customer’s personal data or use it for a purpose for which consent has not been received, and that customer may never know.
Privacy is about safeguarding information tied to personal identity.
The concept of privacy is both more granular and broader than security.
How is it more granular? Importantly, privacy relates specifically to personal information, including any information related to an identified or an identifiable individual. Phone numbers, email addresses, financial and healthcare information, etc. are all personal information when they are tied to a unique individual. Privacy laws such as the General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) are designed to protect customers’ personal information.
Why broader? When you collect or process personal information, you take on an obligation not only to keep it safe from cyber-attack, but also to treat the information you collect responsibly and fairly and in line with the consent provided by the consumer.
Individuals have the right to keep their own information confidential. If they do share information, they have the right to expect it will be kept private and used only for the purpose they have authorized. Their information should never be accessed, shared or sold without their knowledge.
To meet privacy obligations, you need to ask the following questions:
- Am I am being fair to my customers in the way I treat their data?
- Have I explained to my customers how I treat their data, in a way that they easily understand?
To answer these questions privacy professionals are responsible for knowing answers to four fundamental privacy pillars:
- What data do you have
- Where that data is stored
- Where data is processed
- What third parties have access to that data and what are they doing with it
A privacy program can’t address these four pillars without the support of a security program. While the privacy team typically sets the requirements for data management, the security team typically selects and runs the actual IT systems and tools that manage data storage, access, sharing, and reporting.
Improving collaboration and communication between privacy and security
Within an organization, there are often two distinct roles: a Chief Information Security Officer (CISO), who typically has an information technology background, and a Chief Privacy Officer (CPO), often an expert on legal and compliance issues. Although their areas of expertise and approaches may be different, these leaders and their teams must build a cooperative relationship to be successful. ¬
The most effective and efficient privacy and security teams set a foundation for collaboration by putting a few core tenants in place:
- A shared vocabulary for data classification. Security and privacy teams need to agree on how data is categorized. What data is considered “personal” or “protected?” Data classification allows certain data to be tagged and tracked throughout its lifecycle.
- Transparency. Security and privacy teams need to share information about where data resides, who has access, and what data processing actions have occurred. When both teams can see the same information in a common platform, they save time communicating and planning.
- Employee empowerment. Security and privacy teams are each responsible for making sure everyone in an organization, as well as third-parties that touch data, have the knowledge and ability to manage data responsibly. People must be trained on security and privacy best practices and understand their legal responsibility for acceptable data use. They must be empowered with tools that allow them to do the right thing regarding personal data and still be able to get their jobs done productively.
Both privacy and security are critical for an organization’s success. Let’s face it; their fates are intertwined. If a cyber attacker does circumvent security controls, he or she may access and expose personal data, triggering numerous privacy violations and destroying customer trust. Building a privacy operation based on close collaboration with IT security teams is an essential step in the privacy process.
Click here to learn more about WireWheel’s unique approach to privacy.