Data Security vs. Data Privacy: Not the Same But Functionally Equivalent
As digital solutions have become nearly ubiquitous, few terms have taken a more central place in our conversations than data privacy and data security. Consumers, businesses, and organizations of various types are tiring of the barrage of data breaches and process failures resulting in unauthorized distribution of their sensitive information.
In casual discussions of these events, it’s often easy to use the terms ‘privacy’ and ‘security’ interchangeably. And indeed, there are interdependencies; an internet platform’s strongly worded privacy policy, for example, is meaningless if lax cybersecurity routinely leaves user data unencrypted, available to any internal employee with the right privileges to access and share without a customer’s permission.
However, in much the same way that conflating ‘information’ and ‘data’ can confuse issues of ownership, substituting the term ‘security’ for ‘privacy’ can muddy our problem-solving efforts. It’s important in matters of law, regulation, and policy to be clear about where privacy and security diverge, and equally vital to understand how the technological means by which we will achieve our goals in both areas overlap.
Privacy is Consumer-Oriented
When we use the term ‘privacy,’ we are referring to an individual’s right to control access to and use of their personal information. Even as kids, we considered it a clear violation of our privacy if a sibling sneaked into our room and read our diary.
There is an expectation that individuals themselves will direct if, when, how, and on what terms personal data is shared with other people, professionals, or organizations. To guarantee privacy, consumers must be able to extend, deny, or revoke such permission.
Although corporations are deemed ‘persons’ under U.S. law, the concept of privacy doesn’t extend to businesses, trade associations, and other organizations. Breaches of organizational information may reveal trade secrets or compromise intellectual property, but they don’t represent invasions of privacy.
Security is Organization-Oriented
Data security, on the other hand, involves organizations that create, process, own, control, and store data. Like consumers, organizations may choose to share such data with trusted individuals, professionals, or organizations for any number of reasons. Unpermitted use of sensitive organizational data, however, represents a security breach.
The Technology Requirements Are Functionally Identical
Although referring to different types of data, both privacy and security pertain to sensitive information. From a technological standpoint, guarantees of both privacy and security boil down to data controls, the protections barring unpermitted use or disclosure.
In this sense, the terms are functionally identical. The same technical capabilities can ensure organizations’ data security and consumers’ privacy—and that’s good news for our digital future.
A Road to Real Enforcement
It may seem odd to begin by arguing that privacy and security are inherently different, only to come full circle and demonstrate their functional overlap. The point is that accurately defining the scope of security versus privacy can help us craft clear ‘rules of the road’ embodying our expectations for how different types of data are used.
The Privacy By Design (PBD) principles developed in the 1990s, for example, have gained substantial buy-in as the foundation for privacy policy. Similarly, the EU’s General Data Protection Regulation (GDPR) imposes penalties on organizations when insufficient security measures leave a door open to data breach. As many have noted, PBD, GDPR, and various other statements of principle and compliance regimes define privacy and/or security goals but lack technology recommendations.
In the absence of ready-to-deploy solutions, the most robust law, regulation, or company policy is little more than a promise. Such rules are mere ‘should’ or ‘should not’ propositions and thus a matter of choice. True enforcement requires ‘can’ or ‘cannot,’ leaving no opportunity to opt for non-compliance. Fortunately, the latter is possible in the digital realm because data is a physical entity controlled exclusively by software.
As an analogy, consider seatbelts in our vehicles. The law insists that everyone in a car wear a seatbelt when the vehicle is in motion, but drivers and passengers may simply choose not to obey. Technology can enforce the law if seatbelts are designed to deploy automatically when the ignition is turned, making compliance the default. To ensure security and privacy, data controls must be similarly built into software, by default and by design.
The question is how to do it, and we’ll cover that topic next.