Data privacy and information security are different concepts and have been traditionally under the expertise of different stakeholders. Companies that want to comply with privacy regulations must encourage and facilitate a close relation between privacy and security experts, since security or privacy on their own will not be sufficient to protect the data in a digital world.
The International Association of Privacy Professionals (IAPP) defines data privacy as “the right to be let alone, or freedom from interference or intrusion”, and information privacy as “the right to have some control over how your personal information is collected and used”. On the other hand, the National Institute of Standards and Technology (NIST) has defined information security as “freedom from those conditions that can cause loss of assets with unacceptable consequences”.
Data privacy is focused on the use and governance of personal data by companies, while information security focuses more on the actual mechanisms and controls to protect personal data from unauthorized access (confidentiality), alteration (data integrity) or destruction (availability).
Data privacy involves adopting policies, offering consents to users, complying with possible data transfer restrictions, complying with data retention/archiving obligations, managing third party involvement in the processing (e.g. by signing data processing agreements or similar settlements, depending on the jurisdiction), etc. Data security involves controls and mechanisms such as cryptography, access controls, authentication (e.g. passwords, multifactor authentication, biometric authentication), etc.
While privacy and security are different things, they certainly overlap. For a company to ensure that it has protected usable data at its disposal, both privacy and security must be taken into account.
Consideration of privacy issues to determine the acceptable level of risk
It is not possible to achieve a 100% of security in a product, therefore, it is important to understand information security as complying with an acceptable level of risk. This is where data privacy is most needed: to help determine the acceptable level of risk in each case. Privacy regulations introduce concepts such as special categories of data, large scale processing, aggregated data, anonymized data, automated decision making, etc.
Each of these concepts define a different scenario that requires a certain level of protection, and must be taken into account when assessing the severity of the security controls and measures to apply. For instance, anonymized data will not require any security measures (other than the anonymization itself), whereas, in most privacy regulations, processing of health data will require strict security controls such as multi-factor authentication or strong encryption.
We must not forget that there are multiple security standards that also help to determine the acceptable level of risk e.g.: International Organization for Standardization (ISOs), Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act 1996 (HIPAA)’s security rule (https://www.hhs.gov/hipaa/index.html [1] ), etc. However, standards are the result of self-regulation and whilst they can become de facto regulations with time, they are not mandatory.
Other signs of the overlap between privacy and security
Privacy by design and by default: this term has always been part of privacy laws. According to the UK Information Commissioner’s Office (ICO), data protection by design and by default means that “you have to integrate or “bake in” data protection into your processing activities and business practices, from the design stage right through the lifecycle”.
This means that both privacy and security must be part of the design and development of all products, services and systems that process personal data. The U.S. Federal Trade Commission (FTC) emphasized the privacy by design area in its report of 2012 and recommended to companies to promote consumer privacy throughout their organizations and at every stage in the development of their products and services. Also, the report stated that “They should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, data accuracy”.
Data Protection Impact Assessments (DPIA): article 35 of the E.U. General Data Protection Regulation (GDPR) defines when to carry out an “assessment of the impact of the envisaged processing operations on the protection of personal data” . It specifically states that this data protection impact assessment must contain, among other things, “the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data (…)”. The California Consumer Privacy Act (CCPA) does not include a mandatory requirement to undertake a DPIA, and the E-Government Act of 2002 only requires Federal agencies to conduct DPIAs in certain circumstances (Section 208(1) of the Act).
Data processing agreements: In GDPR governed countries, a data processing agreement is mandatory according to article 28 GDPR. This is a written contract between the “controller” and the “processor”, which governs the use of personal data. The data processing agreement includes provisions that impose certain obligations on the processor, including technical and operational measures that the processor must agree to implement. According to article 32 GDPR, these TOMS are necessary “to ensure a level of security appropriate to the risk”.
Although GDPR mentions in more detail the provisions that a data processing agreement must contain, this type of agreement is also required in many other jurisdictions. In California, CCPA does also require a similar agreement to be put in place between the “business” (the entity that determines the purpose and means of the processing) and the “service provider” (the entity that processes data on behalf of the business). In Japan, the Act on the Protection of Personal Information does also require an agreement between the “personal information controller” and the “service provider”. This agreement must oblige the service provider to implement appropriate security measures to ensure the same level of protection of the “personal information controller”. The strict data protection landscape in South Korea is mainly regulated by the Personal Information Protection Act, and does also require an “outsourcing agreement” between the “personal information controller” and the “outsourcee”.
Data transfer restrictions: When transferring data to other countries, we must analyze whether there are any restrictions imposed by the regulation of the transferring country. In GDPR governing countries, in order to lawfully transfer personal data to countries that do not have an adequate level of protection (which, from Schrems II decision, includes the US) additional measures might need to be put in place on top of the approved Standard Contractual Clauses. Some of these additional measures fall in the security area, such as BYOK encryption (for more information, please see https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf).
The list of examples of privacy requirements in regulations that entail an action that falls in the security area is very extensive.
How does this impact the internal organization of a company?
Companies that aim to have a strong privacy and security team must ensure that privacy subject matter experts are involved in security topics, and vice versa. They must abandon the idea of a privacy expert who is not involved in technical issues, or a security expert who is not interested in regulations and acts. Initiatives such as creating a common privacy and security office, organizing a community with tech and non-tech experts, promoting shadow learning or offering trainings are very positive to be able to perform a complete assessment of the issue and provide the highest level of data protection.
[1]Footnote: HIPAA is a US federal statute and is mandatory for “covered entities”. However, pharmaceutical and biotech companies are not directly regulated by HIPAA although there are some exceptions.