Data Security and Data Privacy, while used interchangeably, are related to different issues and organisations need to understand what each one involves so as not to run afoul of the laws
In 2020, authorities in several European countries fined large companies over €158 million ($191 million) for violations of the European Union’s General Data Protection Regulations (GDPR), perhaps the most comprehensive law seeking to protect individuals’ data.
The organisations breach of GDPR’s principles will be termed as a privacy breach while the organisation which are exposed to breach due to lack in protection is termed as breach of data security.
Often used interchangeably, Data Privacy and Data Security relate to completely different issues, and organisations need to understand both so as not to fall foul of laws governing them, besides paying a huge price in reputational damage.
Here is a quick primer.
Today every time people surf the web, shop online, send and receive mails or use social media, they leave behind a digital trail. Companies can collate this data, use complex algorithms and create fairly accurate profiles of users. This includes such personal information as financial status, sexual orientation, political views, health as well as shopping preferences.
Just how comprehensive are these profiles? Here are two examples. Cambridge Analytica, the infamous firm that collected information in an unauthorised manner on 85 million American voters used to boast that the data gave it access to 5,000 touch points on each individual. Another notorious case involves a giant US retailer which used customer data and analytics to accurately predict a teenage pregnancy (even before the girl’s parents knew about it) and offer her deals on pregnancy products.
Governments around the world are increasingly tightening regulations relating to access to individuals’ data to protect its privacy. Businesses now need to have in place properly codified procedures and policies governing the collection, storage, sharing, and usage of Personally Identifiable Information (PII). They also need to ensure that they build in internal rules and regulations on who has access to this data, how it is used and whether they have the users’ consent for such collection, storage and usage.
Data security is about protecting data from unauthorised access via breaches or leaks or malicious hacks. This data could be an organisation’s own data, say financial reports or data that it has collected from its customers and other stakeholders.
The need for data security in today’s interconnected world cannot be overemphasised. Data is among the most prized assets in the world. This is also reflected in the combined market capitalisation of the world’s top five tech firms – Alphabet (Google’s parent) Apple, Amazon, Facebook and Microsoft. Powered by their unimaginably large volumes of customer data, these firms are valued at a total of USD 8.9 trillion. This number is more than the GDP of all countries except the US and China.
Given this value, enterprises invest enormous amounts in a range of technologies to secure data. These could be firewalls, multi-stage user authentication, setting network access controls and high grade encryption. However, the value of data also attracts malicious actors interested in getting unauthorised access to it. Some of the biggest companies in the world have been hit by data breaches.
From the foregoing, it is obvious that organisations need detailed policies and processes to ensure both data security and data privacy. Failure on any of these fronts can have ruinous consequences.