Two terms often used interchangeably are those of Data Privacy and Information Security (also known as InfoSec). While the two are related to each other, it is a common misconception that they are the same thing. This misconception leads to confusion around responsibility and accountability for each. Let’s jump in with a couple of definitions.
“Data Privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them.”
– MG Michael & K Michael, 2014
“Information Security (InfoSec) refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.”
– SANS Institute
As we can see from the above, the two are quite different. Information Security, by definition, deals with much more mechanistic components of security – referring to processes and methodologies. From that we can take that InfoSec is much more aligned with the IT department dealing with things like update management and security patches, firewalling, business process and access control.
Data Privacy on the other hand, deals with a lot more human and social aspects – those of the expectation of privacy, legalities and political issues – a far cry from the mechanistic properties of Information Security, no?
I believe that the lack of distinction between the two puts Executives (by no fault of their own) in the predicament of both thinking that Data Privacy is the IT departments problem, as well as believing that the InfoSec team is looking out for data without being given a specific mandate. These assumptions are both incredibly dangerous to an organisation.
While the InfoSec team is concerned with securing data on the network and physically, Data Privacy extends beyond this and deals with things like HR and employee records, marketing, contracts, policies and much much more across the entire business landscape. Therefore, it is of vital importance that the distinction between the two is made clear at the Exco level in order to effectively define the mandates of Privacy Officers, as well as InfoSec committees.
Ross G Saunders Consulting was founded in 2015 and specialises in Data Privacy, Information Strategy and Process Engineering. Their clients include software development houses, graphic design agencies, law firms, and various other verticals. They pride themselves in technical expertise; business acumen; and proven experience in technology, business and innovation. They deliver services through a network of professional consultants specialising in all things privacy related, from law to IT technical assistance. Enquire about services offered today, and take control of your Data Privacy and Information Security.