The difference between security and privacy? - Changing one’s mindset from a security to an information privacy-focused one

Because of the privacy audits and other privacy projects during the past years I have been privileged to meet a wide variety of security specialists. While I have been able to learn a lot of their field of expertise I have learned that there are certain issues that you should find a common understanding of and also understand the different views of security and legal privacy specialists before getting any further.

Because of the privacy audits and other privacy projects during the past years I have been privileged to meet a wide variety of security specialists. While I have been able to learn a lot of their field of expertise I have learned that there are certain issues that you should find a common understanding of and also understand the different views of security and legal privacy specialists before getting any further.

Usually for an information security team, personal identifiable information (PII) means focus on credit card numbers, social security numbers (SSN), driver’s license numbers and salary information which are often also considered sensitive. However, the key is to understand that according to GDPR (EU General Data Protection Regulation) any piece of information leading to an individual can be considered personal data. And only specific information is considered sensitive (belonging to the special categories of personal data) e.g. data revealing racial or ethnic origin, health data, political opinions, trade union membership. Processing of sensitive data without a specific legal ground is prohibited and a higher level of protection is afforded. E.g. SSN is not per se sensitive information. However, because of the risk-based approach and the nature of SSN, securing that data is important. A security breach of the SSN can cause an individual to face an identity theft or a fraud i.e. it is a high risk for the individual. It means e.g. that special care must be observed when storing and processing SSN.

• Ensure that the concepts are aligned. It is easier to proceed and reach the goals if you speak the same language.

Information security emphasize the measures that are in place to protect the information. It is a question about encryption, access procedures and controls, log monitoring etc., while privacy specialist’s second question (after asking what kind of personal data you collect) is why the data is collected and stored? In other words, personal data cannot be stored indefinitely even if the security of the data is on a sufficient level and the access rights are limited. Often, privacy specialist finds out that data once collected for a certain purpose, is not used for the purpose anymore. For some reasons the data is no longer valid, or the business purpose does not exist anymore, but the data is still kept just in case it will be needed for another purpose or juts because nobody is interested in cleaning. However, adequate level in protecting the security of personal data is not enough, because the data can be retained only if it’s still needed for the purposes defined. If you are unable to define a purpose, you may need to erase or anonymize the data. If the purpose is defined check that privacy notice is up-to-date.

• Ensure that you have defined the purpose for the information. It is not enough that data stores are protected and secured, the retention periods must be determined and process automated.

Information security specialist is keen to know whether data is transferred securely. Privacy specialist is eager to know why data is being shared to a third party overall. Remember that the processing of the personal data must be transparent towards individuals and it includes data disclosures. The privacy notice has to align with the transfers.

• Ensure you have a legal basis to disclose information and secure way of doing it. Make sure that you have told individuals about the transfer.

Without security, there is no privacy or was it another way round?