The question “what is the difference between data Privacy vs data Security?” may have been floating around your office in the last year. If you are in the IT Operations or Security department, the privacy vs security debate may seem irrelevant—isn’t privacy just a type of sensitive data? The answer, of course, is yes, privacy is a type of sensitive data, but it does impact the business in a new and different way than the traditional approach to sensitive data.
Important considerations that distinguish data privacy include identifying data, categorization, defining new types of data processing, training, and new business rules to ensure compliance with data privacy laws—including reporting on data management to regulatory authorities. Due to privacy regulations and differing international standards, privacy-specific data protection and security considerations are changing the essential ways businesses must operate and, in turn, make new requirements on IT and Security operations.
In this post we’ll take a closer look at these differences and see how new data mapping technology is making it possible to help you handle these two distinct data management aspects.
Why Is Data Privacy Important?
Data privacy has always been important, but the growing amounts of data being collected and stored, the personal nature of that data, and how it is used for profit have prompted groundshaking changes. The crucial point to remember is that data privacy should be as to the organizations collecting data as it is to the people whose privacy is at stake.
Data privacy’s focus, in line with data privacy regulations, is to make sure that the data held by the company is properly identified, used, and handled by the business. Data security, on the other hand, is a much larger scope as it involves the technology and processes responsible for making sure that all the data in your organization, including privacy data, remain out of the hands of individuals who should not have access to it.
There is a role for data security in securing privacy data, but the fine details of handling data privacy can’t all be solved using data security precautions.
Confidential Data and Sensitive Data Handling
If you have ever worked for or with a national security government organization, you might recall one of the first lessons was to understand data classification—what the marking rules were, and how to handle different data types. To some extent, this is the reality for modern businesses who must now address different types of sensitive data.
The rules concerning data privacy vs data security in your business can become similarly complex. In government and privacy data management there are layers of protection based on the type of data and special systems to process that data. Unique and special systems are not uncommon in government to help in identifying data that might not appear sensitive in one setting but combined with other data is classified. This effect is part of new regulations such as GDPR. It is not uncommon for processes and systems to be developed so that privacy information records are blocked so that related information cannot be accessed and abused by personnel. Also, rules from one jurisdiction may slightly exceed those from another, so your policy and protection measures may have to rise to the level of the highest level to ensure compliance to all requirements.
Regulatory Compliance Requirements
Privacy regulations are proliferating globally. There is the GDPR, but also individual EU member state regulations that enhance or expand the rules of GDPR. In addition to those local EU variants of GDPR, this year has also seen new data privacy regulations from Brazil, Hong Kong, Bahrain, and in 2020, California’s CCPA will go into effect.
What all these (and other) regulations have in common is that they define privacy data and the rules that businesses must enact to accommodate that data. These rules will have to be interpreted by each business, but many of them focus on the complexities that make operations and management of that sensitive data complex.
The primary concerns across most businesses are going to be setting up the internal rules about identifying data, putting in place systems to manage the identification of data, ensuring access to data, training personnel on process rules, and, of course, handling any regulatory fines and breach notification costs. The impacts of breach notification can clearly be seen, for example, in a case like the recent Capital One breach; however, the costs of fines and business process development can vary by organization and industry.
In a recent 2019 Privacy Governance report published by EY and the IAPP, a summary of fines shows that they have been rising rather astonishingly. Items such as the US Federal Trade Commission file of $5B to Facebook is more than double the total fines internationally on privacy to date. These high-figure fines are impressive, but they actually underscore that fact that businesses are not developing the processes and systems required to ensure data privacy protections. To meet regulation requirements, business will have to do more than put a compliance program together: real compliance requires analysis of systems and new tools and techniques to protect data. Awareness by all levels of the business, from data entry to the boardroom, is expected. This means you.
Sadly, for US-only businesses, a lack of a single federal standard means tracking regulatory compliance on a state-by-state basis, which will be a considerable task. For any business with international customers, it means ensuring that privacy data of non-US nationals must meet country specific rules.
How IT and Security Operations Must Move Forward
Many businesses must clearly address data privacy vs. data security by starting or enhancing privacy functions to meet new regulations. It's no longer sufficient to identify if a Social Security number is masked, or that a database that contains cardholder data is encrypted.
Today’s privacy regulations require that you clearly identify the data which may be considered privacy data, including information that may not have been included in traditional “privacy” categories. Once data is identified, processes must be developed to ensure confidentiality. Then, companies must also refine processes to remove, redact, or modify business operations based on the request of a data subject or regulator to remove that data in a manner that is transparent and secure. The task may seem daunting, but recognize that many other businesses are in the same position. Finding data privacy solutions that fit your business will be an important first step.
For IT and Security operations it does mean that the systems and business processes that you support may change in a variety of ways in the near term. Sensitive data protections, such as encryption, data obfuscation, and system administrator and IT support training may need to be revisited immediately to ensure that they are scoped and implemented successfully. New business process rules, to identify or remove data are very likely to needed to support “right to be forgotten” or other instructions from the privacy data owner.
In this privacy update, a number of traditional compliance-related program areas are going to need review and consideration for improvement. These include vendor or third-party management tools and services, data system design, and development, and policy development and training. Additionally, new technology such as AI and machine learning are proving to be beneficial for organizations with dispersed data sets to help identify sensitive data quickly and help to develop processes that will meet privacy rules.
That’s exactly what Cloud Compliance offers Cloud Volumes ONTAP and Azure NetApp Files users. This is the missing piece of the complete data management suite offered by cloud users on AWS, Azure, or Google Cloud: an intelligent data mapping tool that can automatically detect data privacy items no matter which cloud you store them in and provide instant reports that avoid irrelevant false positives.
Align Your Data Privacy and Security Goals: Try an Early Access Preview of Cloud Compliance
Privacy data management presents a degree of complexity to traditional data protection approaches in many businesses. Understanding the rules associated with privacy data for any business will mean being aware of new and upcoming privacy regulations. The changes to business processes may include changes to legacy systems, and for many organizations a requirement to update policy and traditional processes used to protect data.
Companies are likely to need tools to help in privacy data management as well. Cloud Volumes ONTAP and Azure NetApp Files users can start using Cloud Compliance data mapping technology right now.