With all the news about the Facebook ‘breach’ and GDPR (General Data Privacy Regulation) some may think that privacy and security are the same. While there are differences, the two need to have a cooperative relationship for both our privacy plan and security plan to be effective.
First let’s talk about security. Security of information is about keeping it confidential, keeping the integrity of it true, and making sure it is available when needed. Security protects all the information assets that an organization has and keeps. Privacy assures that personal information (and sometimes corporate confidential information as well) are collected, processed (used), protected and destroyed legally and fairly. Why are these distinctions important? Because when we look at the Facebook case, the issue was not security it was privacy. All the information used was legitimately gathered by Facebook with authorization, it was the way it was used that many feel was inappropriate. Cambridge Analytica didn’t break into Facebook and steal the data. They paid for access to it, Facebook granted them access to it. This is the very reason for new emerging standards like GDPR. The EU maintains that if data is collect on an individual the collector of the data must get consent from the data subject for every individual use of that data. If you collect it for one purpose, then decide to sell it for another purpose you must go back to the individual and gain consent for that use.
Where Security and Privacy coexist is that the means of keeping information private is usually through security. That being the case, most privacy standards include references to security. Consider the USA’s Health Insurance Portability and Accountability Act (HIPAA). It contains both a security and a privacy rule. You cannot be HIPAA compliant by just being secure. The privacy informs the security. An information security engineer for a hospital needs to get guidance on who should have access to certain health information and then put security in place to make sure all those individuals have the required access and no one else does. Again looking at Facebook, if management had required stricter privacy, the security teams would have put in place the necessary controls to prevent Cambridge from access anything accept what they were entitled to access. If GDPR type rules existed anything they accessed would have required consent from the individuals.
Hopefully this short primer demonstrates why each organization should have both a privacy and security plan and why the two need to work together in order to provide for secure and private environment. Foresite’s consultants can also assist with helping you make sure these policies are in place, and appropriate for the type(s) of data you protect.