Data Privacy and Information Security - How are they different and how are they same?

Data privacy has become a commonly used term in the industry now.

Though this term has been around for several decades, the introduction of the GDPR law in the EU on 25th of May 2018 has brought this into the mainstream.

In any case, data breaches are dreaded by the information security folks.

These folks are essentially cyber warriors who take care of two crucial things for any organization:
  • protect the organization's information from getting into wrong hands.
  • secure the organization's IT assets from getting hijacked or compromised by other cyber warriors.
Data privacy adds a new twist to the already existing tale.

It actually makes it much more serious by bringing legal angle into the already complicated cyber security equation.

Data breach is a serious thing.

And if the data breach involves personal data of living individuals the seriousness gets compounded by a significant degree.

Data breach involving data privacy doesn't remain just a security breach but becomes a legal violation.

That's the reason for the increased focus on data privacy in the organizations in the business world as well as in other organizations that handle personal data.

It is important to note that the administrative fines and compensation for damages may have significant material impact both in financial terms as well on the organization's brand equity.

How are privacy and security different?

Here are some of the aspects where they are different like chalk and cheese:
  • Privacy is important when the data is personal in nature, whereas security is important with any data.
  • Privacy breaches would directly amount to legal violations, whereas security breaches may or may not amount to legal violations.
  • Privacy is concerned not just with securing the personal data but also adherence to the generally accepted privacy principles (GAPP) whereas security is concerned just with securing the data.
How are privacy and security same?

Well, they are not exactly same, speaking in a strict technical sense. They are however strongly linked.

Here are some of the aspects where they are linked with each other:
  • Privacy breaches in many instances would generally get reported as a security breach first where subsequent investigation may turn it into a privacy breach also should any personal data found to have been involved.
  • Privacy cannot be ensured and assured unless security is taken care of as the basic building block over which privacy would get built (security for privacy).
  • Privacy would mostly rely upon the technical controls implemented as part of information security to take care of adequate technical measures required for ensuring privacy.
Data privacy and information security are actually comrade in arms.

Improving one would make the other better.

However, security has to be seen as a more fundamental thing as compared to privacy.

For any organization, the first step in strengthening its cyber defense systems should start with information security measures.

The next step would be to go with data privacy measures.

Regular reviews, audits and technical assessments of information security and data privacy in an organization has become a sine-qua-non in the present context.

In summary, it can very well be said that security first, privacy next and after that both together forever and ever.