Data Privacy Metrics: Questions From Our Webinar
August 14, 2023
As your company’s privacy team works to protect customer data, there’s another key component to keep top of mind: how to best secure that data in order to achieve compliance.
The good news is that many aspects of privacy and security have shared commonalities and goals, leading to a natural, working symbiosis. However, the potentially frustrating part is that privacy regulations like the GDPR or CPRA don’t provide a lot of detail about security implementation.
Essentially, while regulations ask organizations to develop “reasonable security” in their privacy programs, details can be vague about how to achieve that. As the National Cyber Security Centre puts it, “The [GDPR] does not mandate a specific set of cyber security measures, but rather expects you to take ‘appropriate’ action,” though it doesn’t explicitly say how.
While this can be challenging to operationalize, the vagueness is deliberate. Given flexibility for technological advances and threat landscape changes, the lack of prescription is actually beneficial for organizations. In this way, they can lean on other sources for guidance, like security industry frameworks to determine what’s reasonable based on risk and data sensitivity, or it can even be guidance from organizations like the European Data Protection Board.
And so, with data privacy and data security sharing responsibilities—and yet, representing distinctly different fields—they can often feel synonymous.
For that reason, it helps to know the difference between privacy and security (and why both are equally important). And while it’s true the two can overlap, they still perform different functions for your company’s overall data protection: Privacy gives users the right to choose how you access and use their data, and security protects the data once it’s in your possession.
Imagine for a moment that both “privacy” and “security” are inquisitive toddlers (we’re sure you know a few).
Privacy is the tyke who’s always asking “why”: Why are we collecting this data? Why do we want to use it, and why are we keeping it for X amount of time? Why are we storing it, and why are we sharing it? This toddler’s questions revolve around how your company’s data is collected and processed. In a work setting, privacy teams are building the “why” as they think about the regulatory environment.
And security is the toddler who’s forever wondering how things work: “Yes, but how does it happen? How are we keeping data secure, and how are we keeping encryption in place?” This toddler’s questions help decide how secure your collected data should be based on its type, level of privacy, etc. In the world of work, they are thinking about how to keep data secure depending on the “whys” that privacy set in place.
Why does this matter? Because in your organization, both kiddos should be playing in the sandbox together. Not only do they hold checks and balances on each other, but they’re also able to proactively develop a risk mitigation plan if a breach should occur. The more privacy and security work together, the stronger your collective privacy program will be. Having the “why” and the “how” work together can help build trust, which is the ultimate name of the game.
Day to day, privacy and security work together to ensure the data you’re collecting is not only protected, but controlled. Essentially, privacy determines the sensitivity and classification of data, while security sets appropriate access controls.
More often than not, the two teams aren’t putting out fires, but preventing them. This might look like collaborating on vendor reviews, sharing training mapping data flows, and drafting policies together. However, in the case of a breach at your company, the relationship between privacy and security is put to the test. Your security team—whether internal or external—will need to work with your privacy team to determine the impact of the loss of data (and whether notifications may be necessary).
This is the moment when you discover whether privacy and security have, in fact, been playing in the sandbox all along, proactively developing a robust solution in the event of a breach. And if they have, the mitigation process becomes that much smoother.
But what does that relationship look like?
Essentially, if privacy (the “why”) is executed mindfully, then security (the “how”) will be more thoughtful, too. At its core, a solid security plan really comes down to how well you understand the data you’re gathering and why.
Collecting only what’s needed, plus having data labeling and classifications, contributes to the technical, organizational, and administrative mechanisms that can safeguard data. While security is a distinct field, having upstream checks in the “why” of data collection and processing can help the downstream process of keeping it secure.
Thus, in the event of a breach, these two teams are not only speaking to each other, but they have been for a while.
Because these two teams will have established a solid rapport (and plan) in advance, this breach mitigation should go smoothly—leaving data far more secure than if no preventative sandbox play-dates occurred.
For more information on how to interpret current privacy regulations—and what they require of your company’s data security plan—find a trustworthy partner to help you navigate it all. Osano has a number of free resources to explore. And when you’re ready to take the next step, we provide a range of solutions to help you meet GDPR and CPRA requirements.
Rachael Ormiston is the Head of Privacy at Osano. With over 15 years of professional experience, she has deep domain expertise in Global Privacy, Cybersecurity, and Crisis and Incident Response. Rachael is an IAPP FIP and has previously served on the IAPP CIPM Exam Development board. She has a personal interest in privacy risk issues associated with emerging technologies.