Tension Between Data Security and Data Privacy – What is the Difference?

Understanding the difference between data security and data privacy plays a key role in ensuring that your organization maintains a strong security posture, while also performing your due diligence to protect the personal data that you are responsible for. For many businesses, security trumps privacy. They need assurance of regulatory compliance, so they offer their security efforts as evidence. But what happens when the focus is only on security instead of both security and privacy? 

The Difference Between Data Security and Data Privacy

Knowing the difference between privacy and security matters because of what is at stake. Data security is about protecting data, and data privacy is about controlling data. The difference between the two all comes down to what is being safeguarded. Is it the data or user identity? 

To further understand the difference between security and privacy, there are seven key components to consider:

1. Scope – In data security, the scope tends to apply to all information assets, as opposed to data privacy where the scope applies to information provided by data subjects or consumers. 
2. Particularity/Uniqueness – Acceptable security standards tend to cross multiple disciplines of data security, but in privacy, they are usually particular in terms of requirements and data types.
3. Disclosures – There are endless types of disclosures in data privacy, but none in data security. 
4. Access – Technological tools are used in data security to restrict access internally and externally, whereas in data privacy, regulatory or contractual requirements restrict and grant access.
5. Data Usage and Third-Party Transfers – Data security is concerned with internal rules consistency and secure transfers, and data privacy is concerned with the purpose of the use and permissibility of the transfer.
6. Data Minimization – In data security, data minimization is concerned with the amount of data that impacts risks, as opposed to data privacy, where the amount of data used, accessed, or collected should be the minimum amount necessary.
7. Retention – Data security and privacy should align to maintain data for as short a time as possible, but there are legal and contractual retention minimums.

Achieving Great Data Security and Privacy Practices

In a day and age when cybersecurity attacks are at an all-time high and the threat landscape continues to evolve, knowing the data security and privacy requirements that your organization must adhere to is critical. This is where the importance of understanding the difference between privacy and security comes into play. Without this understanding, you will underachieve at your compliance goals, spend unnecessary effort, and incorrectly implement security and privacy practices. 

Your team will excel in their data security and privacy efforts when they know why they’re doing what they’re doing. 

About the Author: Joseph Kirkpatrick is the President of Kirkpatrick Price. Kirkpatrick Price is a licensed CPA firm, PCI QSA, and HITRUST CSF Assessor, and most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, GDPR, ISO 27001, FISMA, and penetration testing.