Muddling the concepts of security and privacy
or why encrypting data does not necessarily solve privacy issues
or why encrypting data does not necessarily solve privacy issues
Privacy and security are two different concepts, still the dividing line is blurred. The Swiss Federal Data Protection and Information Commissioner (EDÖP) offers an illustrative summary in his clarifications to the changes of the directive on minimum requirements for a Data Protection Management System:
Understanding of the differences is just a first step. Creating a dialogue between the two is critical to effectively face an organization’s challenges. So what are the differences? J. Trevor Hughes is the president and CEO of the International Association of Privacy Professionals (IAPP) and wrote an excellent article on CSO Online helping to distinguish the two.
At least 3 key aspects are:
Information Security deals with the implementation of technological and procedural controls to manage the access to data.
Data Privacy deals with how data is being managed (i.e. gathered, stored, used, shared, deleted) in compliance with the law and answers questions on what is permissible and/or inappropriate with regards to the usage of data.
An Information Security Professional’s language is based in technology and IT.
A Data Privacy Professional’s language is based in law and compliance.
As a result the ability to understand each other may be limited but is crucial to create a diaolog and understanding for each other’s challenges within the organization.
A great security programm does not necessarily solve privacy issues.
On the other hand there is no great data privacy without great security.
Or, citing J. Trevor Hughes: “It is very true that you can have perfect security and still be incredibly stupid with regards to privacy.”