In today’s digital world, “Data is the new Fuel”, we’ve heard this a lot of times. Along with this phrase we have also heard the terms like Data Privacy, Data Security and Data Protection.
For a common man, these are the buzz words which he needs to be concerned but what do they exactly mean to him and to the other users of the data. We will try to bring out the distinctions between each term through this article.
The above terms are often misused interchangeably as trying to bring out the differences between each term i.e. data privacy vs data security vs data protection may be challenging, but it is not impossible.
In this article, we will look at these three critical terminologies related to the user data in-depth and try to explore what best practices need to be implemented by businesses or organisations to protect their customers’ as well as their interests.
We will cover the following in this article:
- What is Data Privacy
- What is Data Security
- What is Data Protection
- Data Privacy vs Data Security vs Data Protection
- Tips on Best Practices for Data
- Conclusion
Data Privacy
In the recent times, with new and updated data privacy laws popping up regularly to ensure websites and online businesses treat their customers’ data ethically, it is challenging for the businesses to keep up with the definitions, regulations, legislations and compliance.
Data Privacy refers to the proper use and processing of personal data by restoring control over their data to individuals / owners. Simply put, data privacy enables individuals to decide and limit access to the use and sharing of their personal data to others / third parties.
The data processors (like Financial Services / Utility Service Providers / Airlines / Healthcare Systems / Insurance Cos. / etc) cannot use and/or share their customers’ data without explicit written consent from the individual (the data owner).
Protecting personal information ensures that the data is kept secure. This is where data privacy transitions to data security and protection.
Data Privacy Laws
There are numerous regional laws that are applicable for data privacy around the world. These laws are applicable to the people belonging to the region irrespective of the location of the data around the world. For e.g. if a person is living in Europe and for a legitimate reason the data shared by him for availing a service, is located in a country / region outside Europe, the provisions of the Data Privacy Laws applicable for Europe would also be applicable to the organisation in another country, where the data is located on the organisation’s computers.
If you are a business owner with an online presence, you may have probably come across these laws that are enacted worldwide during the recent times.
Some examples of the Data Privacy Laws that aim to protect users’ data privacy online, are:
- EU General Data Protection Regulation (GDPR)
- Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
- California Online Privacy Protection Act (COPPA)
- California Consumer Privacy Act (CCPA)
India, too, is bringing out Personal Data Protection Act (PDPA)
How Data Security Affects Data Privacy
Most online businesses, websites or even Service Providers collect personal information or data from email addresses to phone numbers, credit card details, and log-in details from the consumers. The concept of Data Privacy means that the entities that are collecting the data
from the customers / consumers, should not keep more information than necessary or required for the business relations NOR should it be kept for a period longer than necessary or required. However, it should also be noted that one cannot operationalise data privacy without ensuring the data security. For e.g. if an organisation fails to protect the data related to credit cards issued to its customers, from the hackers and they (hackers) get access to this data, they will sell the same for monetary gains, thus risking the customers financial status. Therefore, data security and data privacy go hand-in-hand or it may be said that data security is a pre-requisite for data privacy.
What is Data Security
Like data privacy, the term “data security” is a little vague and not necessarily intuitive. There exists a confusion while making comparison between data privacy, data security and data protection concepts.
Data Security is the concept of protecting data from theft, corruption, or unauthorised access throughout its lifecycle of:
- Creation
- Storage
- Use
- Sharing
- Archiving
- Destruction
Data security involves everything from physical security of the storage devices and hardware to administrative access controls and the security of software applications using which the data is accessed. It also includes organisational policies and procedures.
Proper implementation of the data security measures can protect the data from cybercriminal activities, insider threats and human errors.
There are various tools and techniques available that assist in protecting the data, including:
- Redaction of sensitive files
- Data Masking
- Encryption
- Automated Monitoring, Alerts and Reporting
These tools can help keep the data secure while supporting the operations in other areas like streamlining the audit processes and complying with regulatory requirements.
What is Data Protection
Once it is ensured that appropriate data privacy and data security measures are in place, the next step is to provision for proper data protection measures.
There are two definitions for “Data Protection”, narrow and broad.
- The narrow or traditional definition of data protection states “Maintaining data availability by way of Backups so you can easily restore data when required.”
- The broader or more modern definition of data protection “covers data availability, immutability (unalterable or unchangeable without proper authorisation), preservation, retention, deletion / destruction and “data privacy” and “data security”.
The more data you collect and store, the more important it becomes to create backups for the critical data. For many organisations, the timeliness of implementing a backup is also essential. Ideally, if you have lost critical data, you would want to replace it as soon as possible to avoid losing out on business operations during the downtime.
There are several ways to implement a data protection strategy, from using different storage devices to creating cloud backups and archival systems.
Data Privacy vs Data Security vs Data Protection
Now that we have understood the basic definitions of the three terms, let’s have a look at how these three terms compare, how they are linked and how they operate in tandem.
The following table illustrates the differences between the concepts of Data Privacy, Data Security and Data Protection:
| Data Privacy | Data Security | Data Protection |
| Ensuring proper use of personal data by giving individuals control over how their data is accessed, used, or shared. | Protecting data against unauthorised access, use or destruction by implementing appropriate technical controls, administrative measures and processes. | Covers data availability, immutability, preservation, retention, deletion / destruction, and “data privacy” and “data security”. |
Data Privacy vs. Data Security
To understand these in a better way, let’s compare the above terms.
Data Privacy is the concept of ensuring proper use of personal data by giving individuals control over how their data is accessed, used, or hared. On the other hand, data security keeps that data safe from unauthorised access.
Example 1 – Data Privacy
eShopping.com sells unique products via its eCommerce shopping website and it collects many pieces of data from its customers (online shoppers) such as:
- Email addresses
- Login Details
- Shipping addresses
- Billing addresses
To ensure proper handling of personal data and to give individuals control over access to and sharing of their data, eShopping.com does the following:
- It allows its customers t unsubscribe from its email marketing & newsletter
- It does not disclose its customers’ email addresses and purchase data to data brokers without getting its customers’ consent.
- It stores customers’ purchase information in accordance with data storage periods determined by applicable laws.
These efforts are part of eShopping.com’s data privacy strategy. Example 2 – Data Security
The executives recently decided to update eShopping.com’s data security policy. As a result, they hired a data security analyst who brought to their attention that more staff members had access to shopper’s information than necessary – weakening the company’s overall data security.
After reviewing which staff members needed access to this information, they reduced the number of “need-to-know” players from 26 to only seven. In addition, they allowed an outlet for some other members to request access under special circumstances.
By reducing the number of staff members who could access shopper’s data by nearly three- quarters, eShopping.com significantly strengthened its data security plan.
Data Privacy vs Data Protection
Now, let us compare the differences and similarities between data privacy and data protection.
Once again, data privacy concept of collecting, sharing and storing as little data as possible. On the other hand, data protection refers to creating copy(ies) of your data to restore it quickly if the same gets lost or damaged.
Consider the example 1 above and then compare that how eShopping.com handled its data protection concerns in the following example.
Example 3 – Data Protection
eShopping.com is a national-level company which has initiated measures to broaden its reach into the international market. However, a data protection analyst recently pointed out a potential issue.
Imagine eShopping.com’s shopper data was suddenly lost or destroyed by a cyberattack or human error. In that case, it could lose millions of dollars in revenue before its current data protection plan could restore the data to its formal level.
eShopping.com’s executives evaluate the costs of updating their plan against the benefits and decided it would be worthwhile to invest in the analyst’s recommendations to strengthen the data protection plan. Some of the data protection analyst’s recommendations were:
- Running tests on data reinstatement speeds for different
- Creating cloud backups
- Updating the backed-up data
Data Security vs Data Protection
People often use the terms data security and data protection interchangeably because the two concepts sound similar. The confusion is understandable, as many assume that protecting data is same as keeping it secure.
However, these terms carry specific definitions or meanings that shouldn’t be mixed up.
Data security is the process / measures of keeping your data safe from unauthorised access. Meanwhile, the data protection focuses on replicating or creating copy(ies) and protecting that data in the event of data loss or damage.
While comparing the examples 2 and 3, we observe how eShopping.com updated its data security policy vs. its data protection plan. They focused on reducing the internal access to shopper’s data to improve its data security.
One of the likely threats is that a malicious activity may sometimes can come from within the company. Additionally, it also reduces the likelihood of occurrence of human errors, which is one of the main cause (almost to the tune of 90-95%) of cybersecurity threats.
Tips for Best Practices for Data
When it comes to Data Privacy vs. Data Security vs. Data Protection, it always helps to stay on top of the industry’s ever-changing best practices. Below are some tips that help you to stay on the cutting edge.
Tips for Data Privacy Best Practices
- Understand how your relevant regulations define personal information
- Utilise proper consent management when collecting data from customers (individual / data owners)
- Collect and store only essential and relevant information
- Do not store the customer data, longer than
- Understand the individuals’ rights over their data under applicable laws and When individuals submit a request such as objecting to sharing of their information, comply with such requests.
Tips for Data Security Best Practices
- Limit internal access to data
- Encrypt your data
- Do not use public Wi-Fi connections on your company devices
- Adopt extra precautions to guard against human errors
Tips for Data Protection Best Practices
- Backup essential data regularly
- Consider sending the backed-up data to the cloud
- Consider backing up data in a different physical location from your company’s offices – catastrophic event at your physical location could destroy both the original files as well as the backups.
Conclusion
Data Privacy, Data Security and Data Protection are key components that need to be understood in the right context. Although they are intrinsically linked to one another, they comprise entirely different ideas and techniques.
Being up-to-date on the best practices and updating your data policies can assist in keeping you and your customers safe from cyberattacks, data leaks and data breaches.
