Data Privacy vs. Data Security: What is the Core Difference?
This blog was originally published on TokenEx.
Written by Dillon Phillips from TokenEx
For organizations that collect or manage data—and individuals who own it—private data and the security of that data should not be taken lightly. They are primary concerns when undertaking the process of protecting fundamentally sensitive information such as identities, finances, and health records. Without them, cybercriminals and other malicious actors would have access to staggering amounts of potentially damaging data. However, not everyone recognizes or understands the difference between data privacy and security. As a result, the terms are often used incorrectly or confused as the same thing.
So, what are data privacy and security?
Data Privacy and Security
Data privacy and security are two essential components of a successful strategy for data protection, so safeguarding information often isn’t limited to just one of the two. In fact, it shouldn’t be. The difference between them isn’t so much in their execution or results but in the underlying philosophy and goals supporting them. Specifically, it comes down to which data is being protected, how it’s being protected, from whom it’s being protected, and who is ultimately responsible for that protection.
Obviously, data security is concerned with securing sensitive data. Where data privacy and security begin to differ is in whom or what they are protecting data from. Data security is primarily focused on preventing unauthorized access to data, via breaches or leaks, regardless of who the unauthorized party is. To achieve this, organizations use tools and technology such as firewalls, user authentication, network limitations, and internal security practices to deter such access. This also includes security technologies such as tokenization and encryption to further protect data by rendering it unreadable—which, in the instance that a breach occurs, can thwart cybercriminals from potentially exposing massive volumes of sensitive data.
So, privacy is less about protecting data from malicious threats than it is about using it responsibly, and in accordance with the wishes of customers and users, to prevent it from falling into the wrong hands. But that doesn’t mean it can’t also include security-type measures to ensure privacy is protected. For instance, efforts to prevent the linking of sensitive data to its data subject or natural person—such as de-identifying personal data, obfuscating it, or storing it in different places to reduce the likelihood of reidentification—are other common privacy provisions.
Too often, the terms security and privacy are used interchangeably, but you can see that they are in fact different—although sometimes difficult to distinguish between. Whereas security controls can be met without also satisfying privacy considerations, privacy concerns are impossible to address without first employing effective security practices. In other words, privacy limits access, whereas security is the process or application for limiting that access. Put yet another way, security protects data, and privacy protects identity.
Data Privacy and Security in Practice
Let’s look at a hypothetical example of these concepts. When you download a mobile application on your smartphone, you’re probably prompted with a privacy agreement you must consent to before the installation begins. From there, the app might also ask for access to certain information stored on your phone, such as your contacts, location data, or photos. Once you’ve decided to grant the app these permissions, it is then responsible for securing your data and protecting the privacy of that data—which doesn’t always happen.
If, for example, the developer of that app turned around and sold the information you gave it to a third party or marketing company without your permission, that would be a violation of your privacy. If the app maker were to suffer a breach, exposing your information to cybercriminals, that would be another violation of your privacy, but it would also be a security failure. In both instances, the developer failed to protect your privacy.
Data Privacy and Security vs. Compliance
Now that you have a basic understanding of the difference between data privacy and security, let’s look at a few common regulations designed to help provide guidelines for maintaining each and how they form the data protection landscape.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of rules for protecting sensitive payment card information and cardholder data. Although primarily concerned with standardizing the security controls for the processing, storage, and transmission of payment data, it also includes measures for personal information often associated with payments, such as names and addresses. It applies to banks, merchants, third parties, and all other entities that handle cardholder data from the major payment card brands.
The European Union’s General Data Protection Regulation (GDPR) is an international standard for protecting the privacy of EU citizens. This law establishes important terms and definitions for whose data should be protected (data subjects), what types of data that entails (personal data), and how that data should be managed and secured. Any entity that collects the data of EU citizens is subject to this regulation.
The California Consumer Privacy Act (CCPA) is the benchmark United States law regulating how organizations are allowed to process the data of California citizens and their households. Similar to the GDPR, it documents which data is protected and details the requirements for protecting that data. All organizations that handle data from Californians must adhere to this statute.
The Health Insurance Portability and Accountability Act (HIPAA) is concerned with protecting the sensitive health information of patients across the U.S. This regulation is particularly complex because of the vast amount and variety of health care data available—everything from a patient’s date of birth to its prescribed medication and X-rays. It also exists in both physical and digital forms that need to be protected differently, which makes securing private health information impossible to achieve with a “one size fits all” approach.
Although it is important to meet the requirements of each regulation relevant to your organization in order to avoid fines and other costly penalties, it’s also worth noting that satisfying minimum compliance obligations does not always result in adequate security or privacy measures. By prioritizing the implementation of effective data privacy and security controls—rather than simply meeting minimum regulatory requirements—organizations will often exceed those same obligations while also improving their security standing and better positioning themselves to anticipate future regulations. Tokenization provides an effective method for doing just that.
Tokenization for Data Privacy and Security
One of the unique things about tokenization—and one of its greatest strengths—is its potential to satisfy both data privacy and security concerns. Through its ability to pseudonymize information, tokenization can act as a security failsafe to protect sensitive data in the event of a breach, rendering the data stored in the breached system unreadable to cybercriminals. In effect, pseudonymization desensitizes data by deidentifying it and preventing it from being returned to its original, sensitive form.
Because tokenization removes sensitive data from internal systems, it can virtually eliminate the risk of data theft, making it a particularly useful tool for risk reduction and compliance in terms of both data privacy and security considerations. So even if the security systems established to protect data privacy become compromised, the privacy of that sensitive information does not.
For more information about tokenization and how it satisfies both security and privacy concerns, check out the "How to Choose a Tokenization Solution" ebook.