Back to Basics: A Global Mobility Guide to Data Privacy v. Data Security
Walter N. Dannemiller III, Esq.In an era defined by digital transformation, the concepts of data privacy and data security remain prominent as keynote topics at conferences, entire practice areas in the information technology and legal fields, and critical components of most modern-day service delivery models. Despite what seems like constant attention, these concepts are often blurred, and the terms are used interchangeably. This leaves folks struggling to understand whether they are data secure, data private, both, or none.
As a global leader in global workforce mobility and business travel services, Dwellworks considers data privacy and data security policies and practices to be as fundamental to our business as are our core values, good governance, and commitment to duty of care. Being a global operation, we also have several different guidelines and regulatory requirements from several different countries to abide by. As Dwellworks’ Vice President and Corporate Counsel and Chair of WERC’s Legal and Global Compliance Forum, laying out the basics of protecting our company data and advising on industry best practices is one of the cornerstones of my role. So, let’s go back to the basics and explore each of these distinct aspects of data management.
Privacy vs. Security - What’s the Difference
Data privacy, often referred to as information privacy, focuses on the rights of individuals to control how their personal information is collected, used, and shared. At its core, data privacy ensures that individuals (often referred to as data subjects in this context) have autonomy over their personal information. This is achieved through data subjects being afforded certain access rights to their data and, in some cases, requiring processors of such data to gain the consent of the data subject prior to the use such information. These rights help prevent misuse of personal information which, in turn, reduces the risk of harm or discrimination to the data subject.
Data security, on the other hand, encompasses the systemic measures and practices put in place to protect data from unauthorized access, breaches, and other cyber threats. This technical discipline focuses on safeguarding the integrity, availability, and confidentiality of data through encryption, firewalls, intrusion detection systems, and access controls. Such controls help prevent data breaches and data loss, while preserving accurate and available data to authorized users.
Check All the Boxes: Important Practices for Ensured Safety
Data privacy practice is broad, focused on the rights of individuals and regulatory compliance. A data privacy program should be implemented by design via policies and practices that govern the entire data processing lifecycle, from collection to deletion. Key elements of an effective data privacy program include:
- Consent Management: where required, ensuring that individuals provide informed consent for the collection and use of their personal data.
- Data Minimization: collecting only the data that is necessary for a specific purpose.
- Purpose Limitation: processing data only for the purposes specified at the time of collection.
- Transparency: clearly communicating, through a privacy notice, how personal data will be used, shared, and stored.
- Data Subject Rights: upholding individuals’ rights to access, rectify, and delete their personal data.
Data security practice is narrow, concentrating on the protection of data against cyber threats and vulnerabilities. An effective data security program involves the implementation of technological and organizational measures which are proportionate to the amount and sensitivity of the data, safeguarding it from malicious attacks, accidental loss, and unauthorized access. Key elements of an effective data security program include:
- Access Controls: ensuring that only authorized users have access to the specific data needed to perform their job duties.
- Encryption: protecting data in transit and at rest by converting that data to a secure format that is unreadable without a decryption key.
- Network Security: implementing firewalls, intrusion detection systems, and secure network architectures to protect data in transit and at rest.
- Incident Response: defining procedures to detect, respond to, and recover from data breaches or security incidents.
- Data Backup and Recovery: regularly backing up data to offsite locations so that it can be restored in the event of a loss incident.
Regulatory Frameworks and Their Important Role in Data Protection
Data privacy is heavily influenced by regulatory and legal frameworks that vary by region and industry. Not everyone is subject to data privacy regulations as a matter of law but may be based on their contractual requirements. It’s important to consult with qualified legal counsel to determine your specific obligations. Notable data privacy regulations include:
- General Data Protection Regulation (GDPR): a comprehensive data privacy law in the European Union, with a counterpart in the United Kingdom, that sets stringent requirements for the collection, processing, and storage of personal data.
- California Consumer Privacy Act (CCPA): the strictest data privacy law in the United States, granting California residents specific rights regarding their personal data.
- Health Insurance Portability and Accountability Act (HIPAA): a U.S. law that sets standards for the protection of health information in the hands of medical providers and insurance brokers.
Data security is governed by various regulations and standards for specific sectors and types of data. However, just as with data privacy regulations, it’s important to consult with qualified legal counsel to understand your specific obligations, if any, whether statutory or contractual. Regardless of any specific external obligations, a reasonable data security program is the minimum market standard for safeguarding data and failure to implement such controls may land you in hot water with government regulators and your contractual partners should you suffer a compromise. Key data security regulations and standards include:
- Payment Card Industry Data Security Standard (PCI DSS): a set of security standards for organizations that handle credit card information.
- Federal Information Security Management Act (FISMA): a U.S. law that requires federal agencies and their third-party partners to develop, document, and implement information security programs.
- National Institute of Standards and Technology (NIST) Cybersecurity Framework: a U.S. standard for information security which can serve as an affirmative legal defense to lawsuits and regulatory actions in the wake of a cyber incident.
Protecting Personal Information: The Privacy and Security Intersection
While data privacy and data security are distinct, they are deeply interconnected. Effective data privacy cannot be achieved without robust data security measures, as unauthorized access to or breach of personal data directly undermines privacy. Conversely, data security practices must consider privacy requirements to ensure that security measures do not infringe upon individuals’ rights. Understanding the differences and interplay between these two domains is crucial for organizations to effectively manage and protect data in an increasingly digital world. By prioritizing both privacy and security, organizations can build trust with individuals, comply with regulatory requirements, and safeguard their valuable data assets.