Data Privacy Day is observed on January 28th, commemorating the signing of the Council of Europe’s original Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data in 1981. Also known as “Convention 108”, it was updated and modernized in 2018 to “Convention 108+”.
Data Privacy (aka Information Privacy) is defined as “…concerned with the proper handling of data – consent, notice, and regulatory obligations.”
However, there are two additional concepts that go hand-in-hand with Data Privacy and need to be understood in order to fully comprehend the challenges faced in today’s technological world.
People often use these three terms interchangeably. However, understanding the differences between the three, as well as how they are connected, is key to defining and building a strong information security culture in your organization.
Data Privacy and Data Protection are long standing concepts that pre-date the Technology age, going back to Aristotle. “Aristotle’s distinction between the public sphere of politics and political activity, the polis, and the private or domestic sphere of the family, the oikos, as two distinct spheres of life, is a classic reference to a private domain.”
The legal concept of Data Privacy is based on an 1890 Harvard Law Review article, The Right to Privacy, which offers what will become the legal definition of Privacy – “Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual … ‘the right to be let alone.’” This idea weaved its way through the years and across continents, folding in the growth of digital technologies. In 1967, the United States government passed the Freedom of Information Act (FOIA), giving citizens the right to access data held by government agencies. In Europe, there was a series of Directive and Acts related to Privacy that culminated in the General Data Protection Regulation (GDPR) that came into full effect on May 25, 2018.
The history of Data Protection developed in step with that of Data Privacy. As long as there have been generals protecting their troop movements from the enemy, spies encrypting messages for transfer, or offices with locked filing cabinets, there has been Data Protection. The first governmental guidelines on Data Protection date back to 1980 when the Organisation for Economic Co-operation and Development (OECD) published the “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.” Additional frameworks outlining best practices for data protection and security, such as the Payment Card Industry Data Security Standards (PCI DSS), the ISO/IEC 27000 Series, and GDPR, have been introduced over the last 40 years in an attempt to provide guidance on protecting data across evolving technology.
The commonly accepted belief is “There is no Data Privacy without Data Protection.” Data Privacy defines what sensitive data, such as Personally Identifiable Information (PII), is legally. Data Protection guidelines define the best practices for guarding the data.
Cybersecurity is the “new” concept of the trifecta, dating back to the early 1970s and ARPANET (the foundation of the Internet we use today). Its focus is not legal or regulatory, but instead practices, processes, and technologies for the protection of data and IT assets. With the explosion of data that is being collected, stored, and processed today, there is an increase in the amount of sensitive data handled by organizations that must be protected from unauthorized access. Cybersecurity includes components of securing networks, applications, end points, databases, identity management (authentication and authorization of users), cloud, and mobile. It also covers Business Continuity and Disaster Recovery (BCDR) and User Education.
It can be said that in 2020 with the large scale of data that is captured, stored, and processed digitally, there is limited Data Protection without Cybersecurity. While Data Protection provides the guidelines, processes, and best practices for protecting data, Cybersecurity programs put those ideas and words into action. For example, PCI DSS 3.2.1 Requirements 7 states that organizations must “Restrict access to cardholder data by business need to know.”. This is Data Protection. Cybersecurity is the implementation of role-based access controls and features such as Single Sign On (SSO) or Multi Factor Authentication (MFA) to prohibit access.
Based on the powerful trifecta of Data Privacy, Data Protection, and Cybersecurity, here are some important recommendations for improving your organization’s information security culture.
- Identify the data – always know the data you hold in your systems, as well as its data classification. There are a number of tools on the market that can help to automate this process.
- Determine guidelines for data protection – based on the data you hold, the industry in which you operate, and the clients you serve, research various governance and regulatory frameworks and guidelines which are applicable to your organization.
- Implement cybersecurity protections and safeguards – once you know your data and the required data protection framework(s) you need to meet, design a cybersecurity program that supports and enforces data privacy and data protection.
- Information security mindset/culture is key – train users on these key concepts and how they are related, as well as provide strong Security Awareness Training and Data Privacy Training to help build and sustain your organization’s information security culture.
- Changes ripple; change management is key. Adding new software systems, retiring old applications, changing your organizational hierarchy — all of these can result in changes to data and systems that require updates to your data privacy, data protection, and/or cybersecurity programs. Be sure to review and update your programs on a regular basis and with any significant changes to your organization.
Remember, your employees are often your last best defense against hackers, as well as your largest target . Help them help you by giving them the tools they need to make good choices in relation to Data Privacy. One great place to start is these suggestions from the National Cyber Security Alliance that outline for individuals how to update their privacy settings in popular apps. You can also share with them these guidelines for securing their key accounts and devices.