If you look at the title of this blog article and aren’t sure what to answer, you’re not alone. Even industry veterans find it hard to disentangle cybersecurity and data privacy. There is a good reason for this. They are associated, even intrinsically linked, and they both have to deal with nefarious elements that would do us harm. But they are not the same. In this article, we hope to point out where cybersecurity and privacy overlap and where they diverge.
Disclaimer: This blog article was written by our compliance experts for general information and does not claim to provide legal advice. To understand the full context of your organization, please consult with a privacy compliance and/or legal professional.
Privacy seems to be one of those slippery terms that is hard to pin down.
In the context of technology, we are generally referring to data privacy, which is data in all of its forms – from images to documents to location and political leaning. But privacy, as a concept, is a long-held, intrinsic, human right.
The American Constitution, for example, gives a strong nod to privacy, although it holds back on being specific about what privacy actually constitutes. The Ninth Amendment of the Constitution is often quoted as upholding the right to the privacy of beliefs and lifestyle:
“The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.”
Unlike traditional privacy definitions, the modern concept of online privacy is much more concerned with our personal data. Again, the definition of online privacy has been difficult to define and many industry experts have attempted to do so. A recent definition was made by Toby Hayes, a privacy guru in the UK:
“Privacy is the understanding that individuals have about how personal data about them is used, and their ability to influence the outcomes of that use.”
This definition reminds us that online privacy is about us (the user) controlling what happens to our data. It illustrates that privacy is not about hiding data, it is a process, a subset of a larger picture of trust. And trust is a foundation stone of a relationship. If you have trust, you have a good relationship. If trust breaks down, the relationship falls apart. This is as true online as it is offline. Privacy is part of this larger equation. Data privacy is ultimately about having a choice in the decision-making process when data is created, shared, stored, within a given system.
Related Post: GDPR: Privacy by Design
The best way to explain data privacy is to look at how it is being applied.
The recent Google fine of $57 million is just the start of what seems to be a deluge of complaints against organizations, large and small.
This takes us naturally to the data privacy enforcement bible, aka the EU’s General Data Protection Regulation or the GDPR. This regulation, which has sent shivers down the spines of hardened IT professionals, is a reaction to the radical changes to the way that personal data is being passed around the Internet. The GDPR sets out a frame of reference in how to handle and deliver the needs of modern data privacy. Within this is the overarching ethos of “consent”.
The simple answer to this is an enormous amount. If you consent to allowing another party to use your data, then it should place you central to the control of that data.
However, consent is not an on/off switch. Consent, like trust and relationships, is a fluid entity. It is also a granular choice. The GDPR has attempted to make provisions for this, but some of the interpretations are not quite in compliance.
The recent Google fine of $57 million is just the start of what seems to be a deluge of complaints against organizations, large and small. In the UK, for example, the Information Commissioner's Office (ICO) has had a 100% increase in frontline services since GDPR came into effect, and by December of last year, they had received 8,000 data breach notifications.
Data privacy is not just about consenting to process personal data. It is also about governance, awareness, and transparency on the side of the organization. Malcolm Crompton, an ex-privacy commissioner for Australia, places some emphasis on putting a value on data that can be conveyed to the board. In a co-authored paper alongside Juergen Sidgman, on the subject, they state:
“Businesses tend to be ineffective at data protection because, generally, they misunderstand the value of the data they possess.”
Privacy then is about process. A process that encompasses the lifespan of the data, putting the individual center stage but bringing the organizations that process the data into the fold.
Cybersecurity is a set of strategies, techniques, and controls to reduce risk and ensure that your data assets are protected.
If data privacy is about control, then cybersecurity has the means to add, some, but not all, of the aspects of that control. Cybersecurity is at the heart of the discipline of data protection. Protection of assets in all the forms they take.
Like privacy, cybersecurity is a process. It requires an understanding of the threat landscape to create policies, processes and procedures and then put the tenets of those efforts into practical application.
Every aspect of our working and personal lives is touched by cybercrime. And, the cybersecurity space is a buoyant place, reflecting this. The cybersecurity industry is expected to grow over 10% annually to be worth $248 billion by 2023. Cybersecurity covers a wide-gamut of ways to protect our organizations and ourselves from cyber-attacks, whether they be from inside our company or from external threats. Cybersecurity is not just about the protection of data. It about protecting assets like critical infrastructures, preventing the disruption of operations, and stopping the extortion of money.
However, cybersecurity measures and the understanding of cybersecurity professionals can give us the conditions needed to ensure that our data privacy is upheld.
Data privacy is managed through consent but augmented using security measures. Security plays a large part in preventing the data breaches that expose personal information. If you have consented to allow an organization to process your data, then that consent means nothing without some way of enforcing the protection of these data. Typical privacy enforcement measures include:
Hopefully, this article has shed some light on the two bedfellows, data privacy and cybersecurity. Each has its own distinct coverage.
Data privacy is reliant on cybersecurity to do the heavy lifting and make sure that the data representing the real-world person is protected throughout its life cycle.
Data privacy, on the other hand, goes far-beyond those protection mechanisms. It takes on a life of its own as it helps an organization to build a trusted relationship with their customers, employees, and wider human touch points.
Want to learn more about data privacy and how you can meet your privacy obligations in your organization?