Data Privacy and Data Security: the connection and distinction

Oil, gold, wheat, natural gas and so on were considered the most important commodities stored in our world’s reserves. The world is packed full of tangible commodities that each have their own value. Oil is perhaps the most recognized, and up till the digital age, was the world’s most valuable commodity. Not anymore.

The digital age has seen the introduction of intangible and digital commodities. Today, data is considered the world’s most valuable (and vulnerable) resource. The collection, processing and use of data happen every second of every day of our daily lives. Such an important resource must be secured and protected for fear of cybercriminals trying to steal private data.

For companies and organizations that manage data as well as individuals that own it, privacy and security of that data must be given the highest priority. Identities, financial records and other private information would fall into the hands of cybercriminals and hackers who would gain access to highly damaging information that could lead to a company’s (or an individual’s) downfall. However, most people do not take the liberty of trying to understand the importance of two elements: data privacy and data security, and tend to mix them up.

Data privacy and data security are frequently interchanged to mean the opposite of what they really are. These two components are connected, of course, but at the same time, they are unique. They mean very different things. One cannot survive without the other. It is very important that individuals tasked with the responsibility of managing an organization’s data understand the distinction between these two terms. Knowing this distinction gives a better understanding of their working and how they can impact a business.

What is data privacy?

Despite having several definitions online, one can generally define data privacy as the right or ability of an individual to decide what, when and how personal data will be shared with or communicated to others. In short, the governance of data. It deals with consent, notice and compliance with regulations of that particular region.

Personal information can include anything the individual wishes to include, like one’s name, location, contact information, online behaviour and so on. Users would want full control over what information they decide to withhold from the public domain. Organizations and governments have realized the importance of keeping strict guidelines designed to protect personal data privacy. It is imperative that an individual has full control over their personal data and how much information can be collected and used by third party organizations.

This is plenty to scrutinize about the topic of personal data privacy, but there are three main concerns revolving around it:

• Control of personal data when sharing it with third parties
• Whether this data is collected legally
• Ensuring that data shared and collected is in compliance with regulatory restrictions of that particular region (such as GDPR, HIPAA, GLBA or CCPA)

Why is data privacy important?

In the IT industry, data privacy is possibly the most significant issue. An issue that raises constant scrutiny due to the rise of cybercrime and the data economy. Transparency from companies like Google, Facebook and so on, who built their empires atop this data economy is an issue we face to this very day, and it isn’t getting better. Transparency in how businesses collect your personal information and where they use it is a key part in building trust between individuals and organizations. It creates accountability with the company handling the individual’s personal data and the trust that they will follow their privacy policies to the letter. In an ideal world, it wouldn’t be an issue, but sadly we’ve seen too many data privacy breaches in the past to think otherwise.

Data privacy isn’t just a norm or a practice. It is now a fundamental human right. In the IT industry, data privacy is possibly the most significant issue. Privacy, in general, is an individual’s right to freedom from intrusion, or in other words, the right of a person to be left alone. Therefore, it is expected that privacy of one’s personal data should follow this same definition.

The misuse of personal data can have extremely dire consequences for any individual/organization. They could suffer a number of outcomes such as being defrauded by cybercriminals; having their personal identities exposed and in danger of identity theft that could lead to a domino effect of other crimes not perpetrated by the individual; being on the receiving end of unwanted marketing campaigns as a result of advertisers receiving personal information without the user’s permission; being tracked and monitored constantly, thereby depriving the individual of their right to freedom.

How is data privacy ensured?

Technological advancements have enabled an extremely sophisticated level of data collection and surveillance. In order to protect an individual’s rights, governments have passed laws on what personal data can be collected, where and how it can be used, and ensuring overall that data stays protected constantly. Depending on the region, there are different frameworks set up in order to ensure the privacy of personal data.

• The General Data Protection Regulation (GDPR), set up by the European Union is the strictest regulation to date. The GDPR ensures that personal data of European Union data subjects (individuals) are regulated on how data is collected, stored and processed and grants an individual full control over their personal data.
• The California Consumer Privacy Act (CCPA) ensures that individuals are made aware of what personal data is collected. It also grants individuals control over their personal data, including a right to tell organizations not to sell their personal data.
• There are other region-specific regulatory frameworks set up that have been heavily influenced by GDPR, such as Brazil’s Lei Geral de Protecao de Dados (LGPD), UK’s Data Protection Act, Canada’s Digital Charter Implementation Act (proposed in 2020), Nigeria Data Protection Regulation (NDPR) and so on.
• There are also industry-specific regulatory frameworks set up, most notably the United States’ HIPAA (Health Insurance Portability and Accountability Act), which governs the handling of personal healthcare data.

GDPR Compliance and Hexnode MDM-A step ahead towards data protection

Fair Information Practice Principles: Framework of modern data privacy law

Most of the data privacy laws and frameworks existing today are derived from the Fair Information Practice Principles. The Fair Information Practices are a set of guidelines for data collection and usage. These guidelines were first proposed by an advisory committee to the U.S. Department of Health, Education, and Welfare in 1973. They were later adopted by the international Organization for Economic Cooperation and Development (OECD) in its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

It is important that organizations are aware of and understand the basic set of principles that led to the various data protection frameworks we have today.

1. The Collection Limitation Principle. This principle states that the collection of personal data must have its limits. This data must be obtained by lawful means and must be done with the knowledge or consent of the data subject.
2. The Data Quality Principle. The use of personal data must remain relevant to the intended purpose, must be kept accurate and up-to-date.
3. The Purpose Specification Principle. The purposes for which personal data are collected must be specified on or before the time of data collection. Any change in the use of this purpose must be specified as well. This principle is important as it creates trust between the data subject and the company, and creates an air of transparency.
4. The Use Limitation Principle. This principle states that personal data must not be disclosed, made available or used for unauthorized purposes subject to the consent of the subject as well as under the relevant legal authority.
5. The Security Safeguards Principle. This principle states that personal data must be protected against such risks such as unauthorized use, data loss, destruction, modification or disclosure of data.
6. The Openness Principle. Another important principle, this states that there must be a policy of openness or transparency about developments, policies or practices undertaken with respect to the use of personal data. The nature, existence and purpose of this data must be readily available as well as the identity and residence of the data controller.
7. The Individual Participation Principle. This principle grants an individual the right to the following:
   1. The individual has the right to obtain information from a data controller, or any other relevant individual, information concerning whether or not the data controller has data relating to them.
   2. The individual has the right to have data concerning them made known to them, within a reasonable time, at a reasonable charge, in a manner that is readily intelligible to him, i.e, not in a deceiving manner.
   3. The individual has the right to challenge any breaches of the above-mentioned principle and must be given proper reasons as to why.
   4. Lastly, the individual can challenge any data that relates to them, and in the event of a successful challenge, can have said data erased, rectified, completed or amended.
      This is a clear indication of an individual’s right to freedom. It also establishes the data subject’s control over their personal data when it is in the hands of the data controller, thereby securing the subject’s personal data.
8. The Accountability Principle. The data controller would be held accountable for upholding the spirit and compliance with any measures that give effect to the above principles.

These were the principles on which most of today’s data privacy frameworks were built on. Relatively simple and straightforward, it establishes an ethical boundary which should not be crossed by the data controller when in possession of a subject’s personal data.

What is data security?

Data privacy is the right of an individual to protect their personal data. Data security, however, refers to the procedures and practices that focus on the protection of personal data from cyberattacks, data breaches, access to data without consent and data loss. There is an overlap between the two terms, but there is a clear distinction as well.

Data security covers every aspect of a company’s infrastructure, from physical storage and hardware to administrative controls and access to the security and integrity of data stored on software applications. Every avenue must be secure. The security of personal data is ensured by the implementation of regulatory laws stated in the various international frameworks stated previously.

Why is data security important?

When implemented properly, data security provides a company/individual assets defence against cybercriminal activity, unauthorized access and even unprecedented events such as insider threats and human error. With the increased strides in technological advancement, the level of sophistication of cyberattacks have increased and therefore the level of cybersecurity measures taken to prevent any unforeseen events must also increase.

Enterprises and companies have all reached a state of near-total (if not complete) digital transformation. The amount of data collected and processed by companies is incomprehensible, and therefore the need for governance of this ever-growing reserve of data has increased. The challenges faced by these companies due to this have increased ten-fold.

The rise of new advanced computer environments like the public cloud, enterprise data, remote servers and new technological advancements such as the Internet of Things (IoT) has multiplied the scope of data breaches. This has alerted enterprises to the fact that they must be constantly updated with the latest security tools and counter-measures to repel any data breach.

We live in a world where even a single cyberattack or data breach against an organization is enough to bring it down. The bigger they are, the harder they fall. According to IBM and the Ponemon Institute, the average data breach in the year 2021 was projected to be around $4.21 million, a 9.8% increase from 2020.

Companies have not failed to recognize the business value of data. Customers must be convinced of the legitimacy, trustworthiness and transparency of a company’s capacity to collect and manage their personal data. Failure to prevent data breaches leads to a decrease in brand value, stemming from a loss of trust from the customers. This breach in trust could have a lasting effect on the health of a business for years to come. However, this could be averted if said company takes responsibility and communicates to its customers in order to maintain trust in the face of a breach.

What are the top threats to data security?

Cybersecurity threats become more sophisticated with each passing year, evolving with the changing technological environment. There are multiple threats to personal data security. Here are a few examples of common issues faced by organizations to secure sensitive data:

• Human error: Surprisingly, a good percentage of data breaches stem not from third party attacks, but from within the inside, unintentionally. Mishandling of sensitive data by employees by accidentally sharing or granting access to unauthorized sources is an issue faced by organizations everywhere. However, with proper employee training, this issue can be controlled.
• Data Loss: Cloud computing is being widely used by organizations everywhere in order to increase collaboration and sharing of data. It also increases the risk of sharing private files with unauthorized parties, either by accident or intention.
• Insider threats: Employees within the organization can leak data that threaten to compromise the security of company data. This can be done either by intention, accident or even when an employee is completely unaware of a data breach, due to accounts being compromised by an external source.
• Phishing: Phishing refers to social engineering attacks that involves messages or advertisements of some sort being used by an attacker to trick the user and gain access to a corporate network or gain access to the user’s credentials.
• Ransomware: Ransomware is one of the biggest data security threats faced by organizations of all sizes. It involves data being corrupted or encrypted, rendering it useless without a decryption key. Ransomware can go as far as to corrupt an entire corporate network as it spreads fast, and if not handled properly, could corrupt entire servers, which would lose an unimaginable amount of private data.

Recommended trends and practices to improve data security

In order to ensure that company data does not get breached, there are several practices and trends employed by organizations to improve data security. These techniques, or a combination of them would ensure the safety of private data.

• Physical safety of servers: Regardless of whether corporate data is stored on-premises or in the cloud, organizations must ensure the safety of physical servers against intruders as well as make the servers resistant to any unforeseen climate or fire-based source.
• Data discovery, detection and classification: In the modern age of IT, data is usually stored on servers, endpoints or cloud. Organizations must remain aware of the direction of data flows in order to identify which data is in danger of being compromised. They must know the data, the type and where it is used. The next step would be to classify the data based on its sensitivity and how it must be secured. This allows IT departments to employ the appropriate measures across the entire enterprise and mitigate breaches/attacks before it even happens.
• Data masking: Organizations have taken up the practice of creating a fake, but realistic version of their data. This is done to create a decoy of sorts in order to protect private data, while providing a functional alternative for such purposes such as user training, sales demos, or software testing. The data type is retained, but the values are changed. This is known as data masking.
• Data encryption: Data encryption is the method of converting readable data to an unreadable encoded format, accessible only with the help of a decryption key. This is a method employed by organizations everywhere to prevent attackers from easily accessing data.
• Authentication: One of the most important parts of any data security strategy, it is essentially the first defence against unauthorized access. Organizations have taken to using relatively newer methods of authentication such as Single Sign-On (SSO), Multi-Factor Authentication (MFA), breached password detection and so on.
• Data Loss Prevention: Organizations can provide a backup to their existing data reserves in the event of a crisis which causes the original servers to lose data by means of some form of physical calamity. With the help of Data Loss Prevention software, sensitive data can be identified after which data protection policies can be enforced and unusual amounts of data processed at any time can be identified.
• Compliance with regulatory policies: Organizations must regularly ensure that the data security policies follow the frameworks set up by governments. By creating policies, to assessing potential cybersecurity risks to ensuring that organizational practices are in line with industry standards, the volume of data breaches will be mitigated.
• Password policy: A simple, but effective practice. Setting up effective password policies with certain restrictions can go a long way in securing data. Organizations can ask employees to regularly change their passwords and set up passwords that are strong enough. However, the simple use of passwords has also not been as effective as expected. Companies now resort to MFA solutions that require users to identify themselves using a token, or by biometric means.
• Audits: A highly recommended practice is for organizations to perform data security audits every few months. These audits, either performed in-house or via a third-party agency will help identify any holes in the cybersecurity strategy, which can be solved once the organization takes the time to fix them.
• Anti-malware, antivirus and endpoint protection: Modern cyberattacks on organizations are mostly malware. To address this situation, employees must ensure each device, endpoint and workstation has the appropriate protection.

Check out Heather Grey’s blog on how to adapt to changes in data privacy laws to understand how these trends can help your organization in the long run.

Featured resource

Why Hexnode UEM?

Hexnode UEM helps you cover every possible aspect of comprehensive device management. Refer to the brochure to know more about UEM features and why UEM implementation may be the best thing for you!

Download brochure

Security and Privacy – hand in hand

As previously mentioned, the terms security and privacy are used interchangeably. While they are overlapping in many ways, they are in fact different. Security and privacy do go hand in hand in my ways. While security controls can be met without satisfying privacy policies, privacy policies cannot be addressed without an effective security policy. Privacy is the right to protect data; security is the process and practice of protecting data.

Security solutions like Hexnode UEM take great pains to understand the distinction between the privacy and security, and strive to find balance between privacy and security; so that customers can be assured of the privacy of their data and enterprises who use Hexnode have personal files fully protected with the most recommended industry practices.

Disclaimer
This article and the information in it do not constitute legal advice and are intended to support customers in their compliance efforts.