Data privacy informs data protection, but data privacy cannot exist without data protection. Jay Hira, Security and Compliance Advisor at Salesforce, dives into the complicated yet critical relationship between data protection and data privacy.
Are data protection and data privacy mutually exclusive?
To start with, let’s just set the context. Data privacy essentially governs how data is collected, how it is used and who it is shared with in terms of supply chain or third parties. When it comes to data protection, there are three core elements: confidentiality, integrity and availability. But the application of these core elements is very contextual depending on the business itself.
Now, for example, if you and I were looking at buying a car, our choices could be very different. You may be big on personal safety features such as number of passenger airbags and the ANCAP safety rating. Whereas I may prioritise safety features such as blind-spot monitoring and emergency-brake assist. In a way, the choices we make on security features in the car translates to data protection.
If either of us has a child under the age of seven, who is an occupant on this vehicle we’re about to buy, then a child-restraint car seat is mandatory – it’s not a choice that you or I can make. So rules that apply to us as the occupants of the car translates to data privacy. Similarly, when it comes to businesses storing personal information, you have to meet the legislation on privacy, and that’s not optional.
Going back to the question of can one exist without the other? It’s a very interesting question. My view is that data privacy informs data protection. Data protection can exist on its own without data privacy, but data privacy cannot exist without data protection.
Are you seeing a shift at the moment around how organisations approach privacy and protection, especially in the design of those programs?
There is definitely a shift I’ve been noticing. We’ve always heard of security by design and of late there have been conversations around privacy by design. So in that example of buying a car, let’s just say if there was no child in the car, we could have bought whatever security features were suitable for you or me. But as soon as we start storing personal information, therein comes the importance of following the rules that are mandated around privacy, which is where the car-seat restraint comes into the picture.
You’re right in saying that there has been a shift. Data protection was purely seen as something that would help you focus your attention to confidentiality, integrity, and the availability and value of data. Now we’re moving more towards privacy legislation and how we are using the data we’ve got. The shift is around how this data is being shared or when it’s being deleted, and the shift is from businesses to data subjects.
What should organisations be managing themselves and what should they get external expertise for?
When it comes to data protection programs, the involvement of external expertise would depend on criteria such as where are the people with the right skills available within the organisation? How much funding is allocated for the program? What are the outcomes and timeframes? These are some of the criteria.
However, if we were to just chunk the overall program into four or five essential stages, the first stage is identifying business, regulatory and compliance requirements. The second stage is defining data classification itself. The third stage is managing who has access to what data. The fourth stage is designing controls to protect, detect, respond and recover data. And the fifth stage is testing controls both at the design level and operational-effectiveness level.
In my view, the sweet spot to engage external expertise or an external provider would be at the time of testing controls, as this will help maintain independence.
If we can apply some of what we’ve been talking about to SMEs, what does a typical journey for security maturity look like in the context of data privacy and data protection?
It’s similar to you and me as individuals and our life journeys – you go through schooling to gain a deeper understanding of a discipline you want to pursue. You go into the workforce and eventually you reach my age group where you find your purpose and start connecting the thoughts between who you are as an individual, what you truly believe in, and what you do for a living.
Similarly, SMEs go through a more or less structured sequence of steps. The first fundamental step is establishing the baseline security capability. This could be influenced by regulators, depending on their industry, or their motivation could be to achieve security standards and certifications. For their end customers or other businesses that are consuming their services, this can establish and build trust.
The next logical step is to continue to optimise your security capability. At this stage, some businesses may use a framework such as the NIST Cybersecurity Framework to measure their maturity and constantly work on improving it. Other businesses may use independent experts to evaluate their capabilities.
Most businesses will go through a stage that focuses on cyber-resilience capabilities. That’s almost like step three, where they’re focusing all their efforts on detecting, responding and recovering from cyber incidents.
Eventually they get to step four. At this stage, you know your security teams are aligned with the business in achieving outcomes, and consumers are getting really tech- and privacy-savvy. This last stage is where the perception of security starts to shift from a cost-centre approach to a business enabler.
You’ve stated that you wish the industry was less reactive. At what point in the maturity pathway should an organisation say, ‘We’ve got our foundation right, but let’s enable ourselves as an organisation to be much more proactive about how we protect ourselves’?
That’s actually a great point around how organisations focus on their security maturity through adversity capabilities or through active threat-hunting exercises. These can help them to really identify what the cyber-threat actors are actively pursuing in your organisation, and what sort of threats you are seeing on your internet-accessible infrastructure.
Once you get to a point where you’ve demonstrated that you’re enabling business, that’s when you start focusing on helping them understand that any investment on the detect, respond and recover capabilities will help with supporting the business function itself. The intent of security is to make sure that we continue to support the business, and in order to detect and respond to a cyberattack, active threat hunting or chasing the adversary capability is critical.
Want more insight into the world of security, identity access management, biometrics and more? Get your fix with the IDentity Today podcast, hosted by Daltrey MD Blair Crawford. You can start on Episode 1 here or listen via Apple Podcasts, Spotify or your favourite podcast app.
