In this post, we’ll provide an all-encompassing run down of data security and data privacy, why it’s important, real-world examples, and key tips for your organization to keep your data secure and private.
Data security and data privacy are strongly interconnected but not the same. Knowing the differences is important to better understanding how they work, and what they each mean to your business.
With GDPR over a year old, and the California Consumer Privacy now in effect, it’s now more important than ever for organizations to make sure they understand what these two things are, why they matter and how to address them in their day to day business operations.
It’s especially important for industries with strict compliance laws such as healthcare, legal services, finance, and biotech, however, it does apply to anyone collecting data. It also should be noted that this doesn't just apply to the IT or Compliance department, but really the entire organization from marketing and sales to customer service.
What’s the difference between data security and data privacy?
Data privacy is a part of data security and is related to the proper handling of data - how you collect it, how you use it, and maintaining compliance.
Data security is about access and protecting data from unauthorized users through different forms of encryption, key management, and authentication.
Why is Understanding the Difference Important?
With all the legalities now in place protecting consumer’s privacy and data, it’s critical that your business understands the implications of not understanding nor addressing these two items. Now that we’ve covered what they actually are, let’s dive into what it means for you.
As a business, it is your responsibility to keep your data secure and as a result, that also means protecting your employees’, customers’, partners’, and any other contacts’ data safe and secure. Without proper measures in place for this, there are a variety of scenarios that can happen:
1. If you don’t have proper security measures in place such as Multi-Factor Authentication, Multi-Device Management, Identity Management, your business could be at risk for a breach. Aside from employees, your data is your most critical asset. If it becomes compromised, the business will suffer dramatically and may even cease to exist.
About 60% of hacked small and medium-sized businesses go out of business after 6 months.
2. Without proper measures in place to keep your employee or customer data private, you could be in violation of a variety of regulations. For example, healthcare companies must abide by HIPPA and not share sensitive patient information. This personal information should also not be sold or redistributed without consent. In doing so, you could be 1) violating the law and 2) end up with disgruntled customers who end up leaving you for a competitor. Either way, it has a significant impact on your revenue between fines and loss of customers. Not to mention the reputation you will form that could have lasting effects.
What Are The Legal Implications? GDPR & CCPA Compliant
What GDPR Means for Your Business
With the EU’s General Data Protection Regulation (GDPR) now in place, businesses need to protect the “personal data and privacy of EU citizens for transactions that occur within the EU.” Now, even though this might seem like something similar to the US, there is a significant difference concerning how the EU and US look at identification information.
While under GDPR compliance, companies need to use the same level of data security for both stored personally identifiable information such as social security numbers, as well as cookies. And even though the GDPR applies to the EU, it also applies to anyone that has dealings within the EU.
To learn more about GDPR, here is a checklist we created to make sure your organization is protecting your data.
What CCPA Means for Your Business
The California Consumer Privacy Act (CCPA) took effect in January of 2020. The reasoning behind this bill was to protect the privacy and data of consumers. Essentially, it gives people the right to determine how their data is stored and shared.
With this law in place, and other states starting to follow, it’s critical for businesses in California to understand the legal ramifications and how to abide by the new law. This new law “creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses” meaning California residents have the right to:
- Know what personal data is being collected, access to that data and the ability to request that their data is deleted
- Know if that data is being sold and to whom as well as the ability to opt-out of having their data sold
The CCPA applies to the following businesses (must meet only one of the following):
- Annual gross revenue greater than $25M
- Buy or sells the personal information of 50,000+ consumers/households
- Earns more than half its annual revenue from selling consumer information
While this may not apply to you now, there are other states and even discussions at the federal level where data privacy rights will be more commonplace. Data isn’t going anywhere, in fact, it’s only growing, so regardless if you fall into today’s thresholds, it can’t hurt to start thinking about it for the future.
Here are a few more tips for being CCPA compliant.
One Real-World Example of Not Abiding By Data Privacy Laws
In January 2019, Google was fine $57M under the new GDPR law. This shows that even the biggest companies are still struggling with what this means to them and how to incorporate the right security and compliance measures within their business ecosystems.
The complaint came from a privacy group that accused Google of not properly adjusting their data collection policies with the new GDPR regulations. While the fine may be “immaterial,” it goes to show how much they’re really cracking down on this new law.
3 Tips and Reminders for [Staying Data Secure]
- Enable Multi-Factor Authentication whenever and wherever possible. This allows you to have better access control with your logins
- Research and make sure you’re aware not only of your industry regulations but state-wide, national, and global laws that may impact you as well.
- Work with your IT team to make sure measures and policies are in place to protect user access controls.
Data Governance and Identity Lifecycle Management
One of the best places to start is making sure you're governing your data and enabling the right individuals to access approved resources, resulting in lowering your security risk. How do you do this? It starts with identity management. Identity management is the security and discipline that enables the right people to access the right resources at the right time for the right reasons. There are many tools that allow for this - our favorite being Azure Active Directory. By implementing Identity Management across your systems and network, you ensure all employee activity and data are monitored and managed in a secure way. For example, so many people are working remotely and still collaborating today - documents are being sent back and forth and shared in a variety of ways. Identity Management allows your employees can do this safely.
In conclusion, while data privacy and data security are certainly interconnected, there are different ways to properly address both.
As a reminder, data security focuses on the technology and tools required to deter cybercriminals from getting their hands on your information such as social security numbers, credit cards, accounts, etc.
Data privacy is complying with local and federal laws within and also outside your industry to ensure the data you’re collecting and the processes behind obtaining and what you do with that data are law-abiding.
Both are incredibly important, so I hope this article helped point you in the right direction.
If you wish to learn more, check out our tips on preparing for the CCPA. If you wish to learn more about how we can help you, learn more about our Compliance Management and Identity Management solutions.