Three terms that are thrown around a lot in the space I consult in are data protection, data privacy, and information security. When speaking to a consultant like myself or a specialist in any of these fields, it may be confusing as to how they relate to one another. This post aims to clear these definitions up so that you can have a clearer picture of your data protection landscape. While I have covered this subject before, I’m adding in Data Protection as it is becoming much more frequently used, while the realms of Privacy and Security are becoming more mature.
In a number of textbooks and popular definitions, Data Protection and Data Privacy are seen as synonymous, however, this tide is changing (thankfully) as the industry matures. Data Protection (in my view as well as that of a number of other partners that I work with) is a blanket term encompassing the realms of Data Privacy and Information Security. Think of it as the overarching umbrella for data governance within an organisation.
With that said, let’s jump into the definitions of Data Privacy and Information Security.
A textbook definition of data (or information) privacy, as put forward by M. and K. Michael in 2014, goes as follows:
“Data Privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, legal and political issues surrounding them.”
From this definition we can already see that there is a separation from security – in that there is mention of public expectations, legal issues, and political issues – none of which fall into the scope of “security”. However! Having said that, there is also an overlap between privacy and security, in that the definition talks to the dissemination of data and the relationship to technology.
The good folks over at Integris Software have a great way of looking at this relationship. Privacy, looks at what data is important and why. It involves legal obligations and laws such as GDPR and POPIA, and subsequent to that all the activities that form part of compliance with these laws such as policies, internal procedures, governance exercises, contracts, and mapping of data. Information Security, in their definition, is how those policies are enforced.
These are the technical and physical means of protecting the information that has been identified in the privacy space. Let’s take a look at the definition of Information Security put forward by the SANS institute:
“Information Security (InfoSec) refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.”
From this definition, a key component to pull out is that it mentions “print, electronic, or any other form” of information. This immediately should tell you that Information Security goes beyond just cyber security, and by extension the IT department (more on that in an article to come). Information security, at it’s simplest, therefore involves any of the methods of protection for data and information, whether physical or electronic. These range from having locking doors and access control to sensitive office areas, through to looking after the IT infrastructure and ensuring the correct firewalls and technologies are in place for protecting the private information in your business.
An Holistic View
While each component was looked at in relative isolation in the past, the two concepts of privacy and security cannot be divorced from each other in the current modern world. One affects the other no matter which way you go about it, with laws such as GDPR and POPIA enforcing compliance on both sides of the fence. Further to that, looking after both is just good business practice. I trust that this offers a much clearer view of the landscape, and I wish you all the best for your Data Protection exercises!
Ross G Saunders Consulting is a niche data protection, privacy, and InfoSec consultancy, working with a number of professional partners in order to help you as a business comply with data protection regulation and good practice. They help with business process, compliance, documentation and more, and can offer a full range of services to take the hassle out of data protection. Why not reach out to find out how they can help you gain a competitive advantage while simultaneously garnering support from your existing and potential customers.