Data Security vs. Data Privacy: Not Knowing the Difference Could Cost You
- Written by: Trevor Meers
Security and privacy seem interchangeable to most of us. Cover one, and you’ve checked both boxes, right? Not exactly. Think of them more like the Yin Yang symbol. When you talk about data security vs. data privacy, you’re talking about two interrelated, but distinctly separate concepts.
And knowing the difference grows more important each month as nearly every organization evolves into a repository for Personally Identifiable Information (PII). That means that if you’re not thinking about your specific data privacy policy, you’re leaving your organization vulnerable to fines and lawsuits.
You're probably storing more customer data than you even realize thanks to everyday processes such as scanning business cards into your CRM, using cookies on your website, storing customer satisfaction surveys and more. And the giant data suction hose only gapes wider each month as the Internet of Things (IoT) and 5G’s rollout turn anything with power into a new surveillance node. Various experts predict the number of IoT devices in use by 2027 will reach up to 41 billion. You don’t need a tinfoil hat to see the implications.
Governments worldwide are increasingly committed to holding you legally liable for all that data you’re stewarding. You may not have a Chief Privacy Officer on the payroll yet, but it’s time for someone on the team to start thinking like one. In this article we'll help you understand the difference between data security and data privacy so you can ensure your policies pay attention to both.
So What Is Data Privacy?
An IT adage says that you can have security without privacy, but you can’t have privacy without security. In other words, don’t get cocky about your privacy posture just because you’ve never had a breach.
Security ensures that no one gets unauthorized access to data. But a privacy issue arises when you knowingly give personal data to entities you shouldn’t share it with. Our friends at Facebook or Google provide a familiar example. Even if they have rock-solid security, they’re still selling details about you to advertisers, market researchers and others. That’s a privacy concern. If they DO get breached, they can have both security and privacy incidents.
Thorough privacy policies also address who within your organization has access to data and how clearly you tell customers what you’re collecting and what you’re doing with it.
How to Improve Your Data Privacy Policy
In this rapidly evolving privacy landscape, you’ll need a well-informed team to clarify your responsibilities. Along with a knowledgeable attorney, you should confer with a cybersecurity company such as HBS on:
- How evolving privacy laws apply to you.
- Developing policies that adequately cover both security and privacy. With multiple standards emerging nationwide, it typically takes an experienced professional to write an across-the-board privacy policy you can count on.
- Understanding what data you’re collecting and how long you retain it, both of which can impact your liability.
- Training employees throughout your organization on their responsibilities. Your marketing department, for example, plays a key role in your privacy position. And your HR processes should address privacy from an employee’s first day through steps such as granting role-based access, which limits employees to only the data they need to do their job.
The Cost of a Privacy Violation
Every leader should get familiar with the legal concept of a “data fiduciary.” The New York Privacy Act currently working its way through that state’s legislature includes the phrase, and it’s likely to show up in a lot of laws. It requires companies to think about customers’ data the way a lawyer or physician does. Clients divulge their private affairs to you for just one reason: so you can serve them better. Leveraging that data for your own benefit, or even acting recklessly with it, violates your responsibility.
New York’s proposed law is the latest in a string of major new regulations that determine how entities handle information. This presents two key takeaways as you think about data privacy:
- New data privacy legislation is in the works in multiple states and nations, including big economic players Brazil and India. Californians recently voted to create an agency to enforce its data privacy law. HBS’s analysts anticipate this being a wakeup call for hundreds of companies that hold data for California customers.
- Agencies are growing teeth when it comes to fines for data privacy violations.
During the first year of the European Union’s privacy regulations, the EU went light on fines, tempting some companies to risk paying a token penalty rather than invest in compliance.
Then the hammer fell. In 2019, the EU leveled its first big penalty with a $230 million fine of British Airways for violating the law’s requirements. Here in the U.S., Facebook absorbed one of the federal government’s largest penalties ever: $5 billion for violating consumer privacy, which is roughly 7% of Facebook’s annual revenue. You can do the math on how such a fine would impact your bottom line.
Right now, governments are mainly going after big companies. But the Federal Trade Commission’s long list of privacy enforcement actions proves they’re also pursuing plenty of firms that aren’t household names.
Note that some of the root problems that earned fines weren’t nefarious activity so much as crimes of omission regarding basic security hygiene. When the Equifax data breach earned the company a $575 million fine, its key problem was failing to patch its network in response to a known vulnerability, leading to the compromise of 147 million records.
Data Privacy Laws
Anyone in the healthcare or financial industries probably has a working knowledge of privacy regulations, thanks to standards like HIPAA and PCI. But the last two years have brought new privacy regulations to the broader market. Two big ones have set the course for many similar laws coming online:
- What is GDPR? – The EU’s General Data Protection Regulation took effect in May 2018. You probably noticed its arrival when every website started asking you to confirm use of cookies. Under the law, EU, UK and EEA (European Economic Area) residents now have access to and can correct, delete, and export personal information. The law, designed to provide a unified standard across national borders, applies to anyone who collects data of EU citizens.
- What is CCPA? – California led the U.S. consumer privacy charge with the California Consumer Privacy Act, which became effective on Jan. 1, 2020. Its influence stems not only from being the nation’s first such law, but from the fact that it applies to any company with customers or computers in California. That ropes in a lot of organizations. Smaller companies are exempted from the law, as it applies only to companies that have more than $25 million in annual revenue, collect data on 50,000 consumers or more or derive 50% or more of their revenue from selling personal information. (Click here for a full analysis of CCPA’s impact.)
Several states have passed their own privacy legislation, with a wide spectrum of requirements and definitions about controls, categories of covered data, etc. Several lawmakers have been working on concepts for a national framework similar to GDPR to make it easier for companies currently trying to comply with varying state standards.
If you’re ready to have a conversation about how all of this applies to you, contact a HBS consultant.