Latest Products

Privacy and Security are not the same

Monday 17 July 2017

Data privacy and cyber security are interlinked, but they are not the same thing.

At the Data + Privacy Asia Pacific Conference, Sheila FitzPatrick, World Wide Legal Data Governance and Privacy Counsel Chief Privacy Officer at NetApp, emphasised that when talking to suppliers for cloud storage, there often tends to be a focus on data security but not on data privacy.

“You can ask a privacy question but you get a security answer,” said FitzPatrick. “When you think about entering the world cloud, you need to think ‘What are the global restrictions where I operate? Where is my data coming from? How is the supplier compliant with data privacy laws?’”
Organisations need to ensure suppliers are complying with the data privacy regulations of all relevant jurisdictions.  

According to FitzPatrick, it is not just about where the data is being collected from either, but also where that data is flowing through. The supplier must be compliant with the laws of those jurisdictions as well.

“Data privacy is the wheel,” FitzPatrick said. “It’s the full life-cycle of that personal data you collect—from the time you collect it, to the time you destroy it. It’s the regulatory obligations that say what you can collect, what you can do with that data, who can access it, how long you can maintain it, when you have to destroy it, and whether or not it can move outside of the borders.” She added that security is an extremely important spoke on that wheel because during the lifecycle of that data, it needs to be protected.

FitzPatrick emphasised that is important to look at your privacy impact assessments before you look at your security impact assessments.

Key differences between data privacy and data security:

  • Privacy is the legal collection, use, sharing, storage and transfer of data, while security is the protections around that process.
  • The ISO 27018 deals with data security but not data privacy.
  • Most cloud vendors deal with security but not data privacy.
Developing data privacy regulations
Understanding the difference is significant, especially in a developing regulatory landscape, where the possibility of cross-jurisdictional harmonisation is beginning to emerge. There has been, and will continue to be, increased collaboration amongst:

The above table indicates an increasing alignment of regulation and growing emphasis on the part of regulators to make organisations take better care of consumer data.

How to mitigate these risks
FitzPatrick recommends some key mitigation strategies:
  • Have clear and explicit policies and procedures
  • Do a Data Privacy Impact Assessment (DPA)
  •  Data privacy agreements
  • Understand and ensure your organisation understands the difference data privacy and data security
  • Restrict access to data
  • Clear delegation of data ownership between data controller and data processor
  • Understand data flows, location, backups and replication
  • Classify data
  • Do risk assessments on third parties