The terms “Data Protection” and “Data Privacy” are often used interchangeably. Both refer to keeping information secure and out of the wrong hands. When discussing these topics during Data Privacy Week, some people colloquially use the terms to express the same idea; after all, private data is protected data, right?
Data Privacy Week is an annual awareness campaign designed by the National Cybersecurity Alliance (NCA). The goal is to encourage online privacy in two ways: by helping individuals understand that they have the power to manage their data, and by helping organizations understand why it is important to respect their users’ data.
Data Privacy Week 2023 is focused on both promoting transparency with consumers and exploring business data collection best practices as they pertain to data privacy. The term Data Privacy was chosen deliberately. While it relates to Data Protection, there are some important differences. Understanding the nuances of these terms will help organizations take the proper steps to secure proprietary and personal data.
What is Data Privacy?
Data Privacy is defined by the European Union as “empowering your users to make their own decisions about who can process their data and for what purpose.” In practical language, it is “the right to keep your data private” as outlined by the NCA. This idea relies heavily on various governing bodies championing an individual’s right to privacy — the right of an individual to dictate who has access to their information and for what purpose.
Data Privacy often refers to policies that deal with who is authorized to access data. Organizations who respect Data Privacy will transparently outline usage details for customers and clients. For example:
- They enforce a Least Privilege Model so employees access the minimum amount of information needed to complete tasks.
- They clearly present if data is being sold, where it is being sold, and offer an easy path for individuals to opt out.
- They limit the data they collect to what is necessary for business, and will explain to all consumers what they collect, and how long they store any information gathered.
- They provide an efficient means for individuals to request their information be destroyed (within legal parameters) and follow through with action promptly.
Aspects of Data Privacy have legal and regulatory ramifications depending on the industry (think of HIPAA for medical information) or country (think of GDPR for European Union citizens). As governmental and societal standards develop around this issue, businesses need to be prepared to rethink how they implement Data Privacy.
Organizations need to vet their contractors and partners’ Data Privacy stance as well! They are still the steward of the data their clients and customers entrust to them.
What is Data Protection?
If an organization has a Data Privacy mindset, it necessitates that Data Protection be implemented. According to the European Union, “Data protection means keeping data safe from unauthorized access.” This involves tools such as endpoint security software, encryption, and physical safeguards to repel cybercriminals and safeguard organizations from events that lead to data damage and loss.
There are hardware, software, and training considerations, which GDPR describes as “appropriate technical and organizational measures.” Some of these measures include:
- Utilizing multi-factor authentication for devices and accounts
- Encrypting devices and data
- Creating a Data Privacy Policy in the staff handbook and training employees appropriately on cybersecurity and data privacy measures
- Functioning with a Least Privilege Model
- Keeping up to date backups securely so operations are not crippled in the event of equipment failure or criminal attack
In 2022, breaches cost on average $4.35 million. Since individuals share so much of their data with businesses in order to use the services they provide, it is imperative that businesses take their Data Protection responsibilities seriously.
Endpoint Security, Privacy, and Data Protection
Data Protection is an integral part of respecting Data Privacy. When an individual determines who is authorized to access his or her information, a company must take steps to keep unauthorized individuals out to protect those rights.
Endpoint security pertains to the tools and policies used to protect devices that connect to an organization’s network. These gateways are devices such as cell phones, laptops, tablets, etc., which allow access to critical information and resources. It is important to have Endpoint Protection on any device that contains private data.
For example, if personally identifiable information (PII) is stored on a company’s server, it must be protected. If an employee can access such files via a laptop, and proceeds to take that laptop to a cafe to meet a client, the endpoint is now in a vulnerable position and needs additional safeguards.
A Data Privacy model that values security will utilize various Data Protection tools to defend data. Measures such as privacy screens, multi-factor authentication, encryption, and endpoint security software all have a part to play.
- Privacy screens limit the information a casual passerby can see from glancing at the laptop.
- Multi-factor authentication means that multiple devices or keys would have to be taken to gain access to company accounts or portals.
- Encryption protects data in the event that a bad actor swipes a hard drive or machine, as the information cannot be read properly without the decryption key.
- Endpoint security software allows the company to track the laptop’s location and take additional action if needed, such as:
- Remote locking
- BitLocker encryption key rotation
- Remote hard drive wipe
Together, these tools strengthen an organization’s defensive barrier, helping to ensure data protection and promote data privacy.
Conclusion
Data Protection and Data Privacy are not the same thing, but they are closely linked. Privacy defines what needs to be protected and for what purpose, and Protection keeps that data private from all external threats. Organizations and individuals are safest when Data Privacy and Data Protection work together to inform a culture of cybersecurity within an organization.