In recent years, there has been a growing conversation around data privacy to the point where very few professionals have not at least heard of the concept. Many businesses are now having to consider and implement the concepts of data privacy into their organizations, but many are wondering how data privacy is any different than data security.
What is data privacy?
At its core, data privacy is the consideration of a company’s use of personally identifiable information (PII) data, including the organization’s responsibilities over that data, how it was obtained, on what and who it was collected about, how it is stored and secured, and how it is disposed of. It’s an all-encompassing view of a company’s use of data, and it highlights that companies should be using their data responsibly.
It also considers the rights of the users whose data the company maintains. Data privacy requires the consent of customers and users prior to collecting, storing and using their data. It also provides that organizations should have agreements with their users that includes the types of data they will (and won’t) collect, as well as how they will use that data.
To effectively implement data privacy, an organization should understand:
- What data it collects
- How it uses the data
- How and where it stores the data, including the ability to access it upon user request
- Retention requirements for collected data (based on laws and regulations)
To sum up, data privacy considers the rights, responsibilities and proper use of PII.
In addition to these responsibilities, an organization must also protect the data it is collecting and using. This is where data security comes into play.
What is data security?
Data security is a piece of data privacy. It considers an organization’s responsibility over the protection of its data. An organization must make reasonable efforts to prevent the unauthorized access and use of its data, whether that be from a malicious external actor or a disgruntled employee. For example, data security typically includes controls such as encryption, access control lists and periodic user access reviews.
In order to prevent unauthorized access and actions within the data environment, data security generally considers three areas: confidentiality, integrity and availability. Confidentiality is protecting information from unauthorized access, integrity is preventing the unauthorized modification of data, and availability is ensuring data is accessible according to service agreements.
To validate the existence and effectiveness of their data security program, organizations should have external reviews performed, whether that’s an information technology controls review (aka IT audit) or a SOC 2 audit.
Need help understanding the impact of data privacy and data security on your organization?
If you have questions on or need assistance with understanding and assessing the impacts of data privacy and security on your organization, contact Wipfli. We can also perform IT audits, SOC exams and other assessments to help you identify and mitigate any weaknesses in your data privacy and data security.
Sign up to receive additional information security content and information in your inbox, or continue reading on: