Cindy Ng is the host of the Inside Out Security podcast. On one blog post, she defined data privacy or information privacy as a branch of data security concerned with the proper handling of data – consent, notice, and regulatory obligations.
Data security is the application of steps to prevent unauthorized access to information in whatever form it exists.
Perhaps the careless swapping of the two has led to confusion in some quarters of the enterprise.
Different but same
Very different and yet so easily confused for the other, the two – security and privacy – are nonetheless connected.
Rob Hinson, a privacy expert at OneTrust, believed that you can’t have one without the other. He described a situation in which a person stores someone’s else is money at his location – without consent.
“No matter how secure a person’s money is while stored at someone else’s location, the very fact that someone else is holding on to that money is already wrong. This state is what you’d call privacy! Your data should be protected both in terms of it being kept private and private. What belongs to you should stay with you unless you deem otherwise,” he explained.
This is the challenge that many organisations face today.
The Deloitte Insights paper, Reimagining customer privacy for the digital age, noted that progress in the evolution of the digital economy has had one unexpected outcome – it has exposed the considerable challenges businesses and regulators must address towards the protection of customer data – both in terms of privacy and security.
Deloitte noted that large financial institutions’ privacy policies, for example, often fail to address the complexities of privacy that have emerged, partly putting the blame of technology.
They also don’t account for different types of privacy concerns beyond the protection of personal financial data—from location to thoughts and feelings, to biometric information.
Myths and bad practices
During a CXOCIETY roundtable discussion on digital transformation, several delegates acknowledged the unexpected rise of security budgets alongside the digitalization efforts. Still, one executive asked whether enough was being done given the increased incidents in hacking incidents occurring worldwide.
This may well have to do with the success [sort-off] of some security vendors in terms of marketing their security offerings as the be-all and end-all of security needs.
Hinson conceded that some quarters of enterprises, mainly end-users, may actually think that security is sufficiently accorded to them as long as they have an endpoint solution in place.
“In Asia, some view security and cybersecurity strategies as largely being endpoint management and how you need to make sure that all of your systems are encrypted. However, sometimes cybersecurity also has to take into account the individuals who are involved and the possibility for human error and breaches from that aspect,” he cautioned.
Hinson does, however, make it clear that at some point a breach or a hack will occur. What is important is that the organisation has taken steps to minimise [or mitigate] the risks.
“It is not necessarily what you did wrong but the number of things you did right. So that when the auditor or regulator does come, you can confidently point out what happened, the steps the organisation took, and are able to prove with confidence that you did everything you could to prevent it,” he concluded.
The right strategy begins with…
Hinson acknowledges that organisations are spending considerable resources on the protection and privacy of customer data. However, he believes that an effective strategy should begin with the recognition of the “value” of the customer’s data.
He conceded that enterprises, including financial services institutions, are spending millions towards the protection of customer data, and understands the concern raised by some quarters within the organisation with respect to how much it will cost to protect this data.
“To me, it not so much the way it's being secured but looking at it from the value of what's being held and what measures you should take from a security perspective to ensure that the data is not compromised,” he suggested.