When people talk about data security, most of the time data privacy is in the following sentence. Even though they have many commonalities, they are different things. Both with physical practicalities in the real world, and digital nuances on the web.
What is data security?
Data security is the practice of protecting sensitive information by mitigating risks and vulnerabilities. Risks can include unauthorized access, use, disclosure, interception, or destruction of data. Data vulnerabilities can include weak or easily guessed passwords, unencrypted data, and security flaws in software and even hardware.
All of these have one thing in common: they all require effort on the part of the engineering team. It requires special attention and takes specific actions in order to make sure sensitive data remains secure.
Modern software-heavy companies offload much of the hardware responsibility to cloud providers, so the bulk of the data security work needs to be done on the software side. This happens by adhering to strict controls and ensuring that engineering teams are empowered to make good security decisions.
What is data privacy?
Data privacy is the control individuals have over their data. For our digital lives, this focuses on who can use the data and what they do with it.
For software compliance teams, privacy is part of the overall data governance topic and is all about ensuring that frameworks and processes are in place to meet the requirements of the growing privacy regulations worldwide, let it be GDPR, CPRA, PIPA, etc.
Privacy laws are written by lawyers and for lawyers, therefore there is little concrete explanation or requirements when it comes to implementing technical safeguards to protect private data. This is left up to interpretation. In practical terms, adhering to regulation is as much about paperwork as it is about implementing privacy-protecting measures.
Data security vs. data privacy
The increased focus on privacy has helped security. Privacy regulation resurfaced the topic of protecting sensitive data and has helped make it a top concern for many organizations.
They are so closely linked that they include the same first step: identify what sensitive data is processed, where it is located, and how it moves. Interestingly, visibility is also the foundation of every security practice—before being able to actively implement data security, visibly over sensitive data is an essential but challenging step.
What about data protection?
We’ve written about data privacy vs. data protection before. The basic version is: protection is about data integrity and preservation. In the event of an attack or fatally destructive error, data protection makes sure the data can be recovered.
For example, in the event of a disaster at the data storage facility, offsite backups can provide the safety net to ensure that no data loss occurs.
While excellent data security can avoid most data breaches and malicious attacks, it will never be perfect—and further cannot protect against hardware failures. That’s where data protection differs from data security.
The current gap in data security
Data security, data privacy, and data protection all circle around sensitive data. Tools serve distinct use-cases, but often touch the same parts of an organization’s tech stack. The big problem, and this isn’t new, is that these are mostly seperate—but dependent—parts of an organization. Privacy, compliance, security, and engineering all need to talk to one another. All the while they have different needs.
Sensitive data’s importance needs to reflect its impact. The more focus we can place on securing sensitive data, the more easily all parties can communicate.