GDPR: Security VS Privacy

This is the third installment of our 5 Things to Know for 5/25 blog series, and we’re talking about the differences between security and privacy and how this impacts GDPR preparations.

Many see privacy and security as being one in the same, but in fact, they are distinctly different. Understanding these differences is crucial to better define policies and protection required for GDPR compliance.

This may oversimplify what is a complex area, but privacy decisions focus on what personal data to collect, who can access it and when, how it is used, with whom it is shared and how long it is kept for. Security represents the technology tools that safeguard personal data from unauthorized access, maintain its integrity and ensure it is available when needed.

Privacy principles are the heart of GDPR, and enforcing them requires the right technology, processes, and behavior. So, it’s not an ‘either/or’, but an ‘and’ –privacy and security should work together to achieve the best result. 

Privacy by design – it’s all about building trust

Taking a proactive approach is what privacy by design is all about. Don’t let privacy be an afterthought. When readying existing systems and processes for GDPR and for any new projects, being clear on privacy impacts can help identify issues earlier, improve organizational awareness and ultimately help meet requirements more easily. 

Considering privacy often and early helps build trust in your organization. Customers and prospects are increasingly looking for vendors who can demonstrate their commitment to privacy. Rather than a burden, it can become a key differentiator.

Security to reinforce and manage privacy policies

You can't have privacy without security, but you can have security without privacy. The right security is essential to underpin privacy obligations. Think of the bank teller who has authority to access your bank account, but they can only do that when combined with the relevant authorization – for example, the card and PIN number you provide when walking into a branch.

Like privacy by design, secure by design principles ensure security is considered right from the outset for new systems, applications or processes. For those already in place, aim to ensure the most appropriate and best protection possible. For example, giving customers the ability to authenticate using multiple factors (e.g. email and SMS) can help protect their personal data against unauthorized access by someone who may have stolen their password. Robust advanced cybersecurity protection, data encryption, and data leak prevention play a key role in defending against attack, human error, and malicious actions. Role-based access controls mandate selective access to personal data.

In fact, as data subjects, we need to be more vigilant about protecting our privacy. Who do you give data to? What passwords do you use? Consumers will gravitate to organizations that can demonstrate appropriate security controls when managing their personal data.

So, what are our top tips when considering privacy and security?

1. Think of them jointly rather than in isolation.
2. Inject privacy considerations early into new projects.
3. Ensure security controls are appropriate and able to support privacy standards.
4. Be transparent. Openly demonstrate your privacy and security credentials to help build trust.

Check back next week for the next blog in our 5 Things to Know for 5/25 series.