Lecio de Paula discusses changing risks associated with privacy and security and how convergence means that organizations need to consider taking a more holistic approach to managing these two aspects of data protection.
With the inception of the General Data Protection Regulation (GDPR) in the UK and similar regulations in Singapore and California, it is clear that the global security and privacy landscape is changing. Despite the purpose of these regulations being clear, to protect and preserve the privacy of individuals and personal data, in the past year alone, millions of data records have been breached; and it doesn’t look to be slowing down any time soon.
For many years, security and privacy have been treated as two different concepts. However, with recent breaches taken into consideration, the lines between security and privacy are becoming more blurred by the day. This is not to say that privacy and security are the same because they are different in many ways, yet, they do go hand-in-hand.
Security, primarily, is about implementing appropriate technical controls, such as multi-factor authentication (MFA), strong encryption controls and protecting data through logging. Privacy, on the other hand, boils down to how that data is stored, accessed, its confidentiality and ultimately how that data is used. The two exist symbiotically and you cannot have one without the other.
Given this knowledge, it is fundamental that organizations promote collaboration between privacy and security teams in order to ensure that data is protected properly. Data protection laws such as Singapore’s Personal Data Protection Act (PDPA), California’s California Consumer Protection Act (CCPA) and, of course, GDPR, require organizations to implement both privacy and security controls. If companies choose not to implement appropriate controls, they run the risk of heavy fines and other sanctions, such as the cessation of all an organization’s data processing operations – should it be deemed necessary.
Many people are under the impression that these regulations are simply just privacy laws. However, they are much more. As their names imply, they are all data protection regulations, encompassing both privacy and security. These laws are explicit in what organizations need to do in order to protect confidentiality, integrity and security of personal data, as well as how personal data should be used in a B2B environment. GDPR, for example, provides a list of minimum technical controls that need to be implemented. In addition, the European Data Protection Board (EDPB) provides further guidelines on what companies need to do in order to protect users’ personal data.
In order to stay ahead of the game, organizations need to break down the barriers between privacy and security and take steps to reposition privacy in order to create a harmonised relationship with security. The shift is not easy, particularly for US-based companies who are used to categorising privacy as a simple requirement for the Health Information Portability and Accountability Act (HIPAA). However, if organizations are to implement effective security measures, privacy and security must work closely together.
It is important to note that the onus of an organization’s data protection practices does not only fall within the remit of the data protection officer (DPO) or the chief information security officer (CISO). It falls upon everyone in the company. It is imperative that organizations move quickly to overcome obstacles and manage the data protection obligations of all departments.
What are the different departmental obligations?
The human resources department holds the responsibility to train employees and to ensure that data protection notices, or privacy policies, are signed off on. Engineering teams, who implement privacy by design (PbD), are responsible for ensuring the guaranteed privacy of users, as well as making sure they adhere to secure coding practices. Marketing has the enormous task of ensuring that all company web pages are compliant and are collecting data in accordance with the company’s privacy policy. Additionally, the legal department has a large role in creating contracts, terms and other legal documents that provide privacy and security protections for the company. And finally, security teams ensure that products are secure, they manage third party vendor risk and also ensure all internal processes are as secure as they can be. While this is not a comprehensive list encompassing all departments, it does give a reasonable idea of how interdepartmental responsibility plays a role in data protection.
If these responsibilities are not monitored regularly, companies can find themselves in hot water. Most departments in an organization touch personal data at some point or another and it’s imperative that effective user training is provided to all staff members within an organization so that privacy best practices are upheld. It only takes one slip up to sink the ship and, as such, employees must become aware of their data protection obligations. A good motto to work by is “if personal data is involved, data protection principles always need to be taken into consideration at the beginning of the project”. Creating a workforce of privacy and security aware employees significantly decreases the risk of non-compliance.
The author
Lecio de Paula is director of data privacy at KnowBe4
Reader comment
A business continuity colleague regularly forwards me features from Continuity Central, most of which I find thought provoking and informative. However, the article 'Are privacy and security at a crossroads?' published on Continuity Central on Thursday 12 September 2019 did not meet this standard and I feel compelled to comment.
As a security professional for more than 30 years I was disappointed that a 'Director of Data Privacy' appears to have no real understanding of security. To state that 'Security, primarily, is about implementing appropriate technical controls' whereas Privacy is concerned with 'how data is stored, accessed, its confidentiality and how that data is used' is naive and factually incorrect. This statement fails to recognise the long held and accepted fundamental principle that security is a multi-layered approach to protecting confidentiality, integrity and availability through the implementation of preventative, detective and responsive controls, whether they be technical or not.
Additionally, whilst the two elements of security and privacy work together, I disagree that 'you cannot have one without the other'. Privacy relies on security for the basic controls, enhancing them with the more detailed requirements necessary to protect individuals' data. However it is possible, and indeed common, for security controls to be implemented without considering privacy. After all, if the assets to be protected do not relate to individuals it would be wasteful and inefficient to implement unnecessary controls.
E A Parkins MSc CISM