Privacy & Security in Data - what’s the difference? 

We’re unusual as a small consultancy in that we cover both data privacy and security in our work, with technology also a central theme - hence our company name. This reflects the interdependence of data, systems, processes and people which make up a large part of the value of today’s organisations, be they startups, multinationals or government bodies. 

Within such organisations, it makes sense to split assets and resources into recognisable departments like Security, Compliance and Operations. However, when it comes to overall responsibility and accountability for data and information about a company’s employees, clients and partners those lines can become more fuzzy. 

This is partly down to how we view the world as humans’ - holistically, in the round, however you want to call it - and when our confidence or trust in another person or institution to keep our secrets safe is lost, it’s hard to rebuild. 

Cyber-attacks, breaches, malpractice and scandals around data from Talk Talk to 23andMe are notable not just for the fines which ensued but the ‘fallout’ damage to brands and the careers of CEO’s, which are often less easily absorbed. 

It’s also clear security and privacy need each other to work effectively. While privacy relies on security to prevent unauthorised access, security without privacy can protect data but fail to respect people’s rights (e.g. collecting excessive information securely). 

Some key distinctions between these two areas can be seen here: 

What this shows is that getting the mix right is a balancing act, and while organisations may treat these areas differently the people working in CISO (Chief Information Security Officer) and DPO (Data Protection Officer) roles share a lot of the same responsibilities. 

One impact from GDPR across organisations was bringing to a wider audience many of the concerns about data risk which security professionals had voiced for some time. Whether taking a ‘need to know’ approach to data use, vetting external third parties or operating a clean desk policy in the workplace; these are all now contributors to compliance and creating a culture of accountability. The large fines associated with GDPR, while not being levied as often as feared, served their purpose in concentrating the minds of top management. 

Meanwhile, as privacy- and security-centric technologies and frameworks like Privacy by Design and NIST continue to evolve and mature, a lot of the tools are converging in the form of assessments, audits and incident plans. In this context, AI can play an exciting role ‘crunching’ large volumes of data from these (anonymously) so we can start to predict patterns in risks, attack surfaces and likely outcomes. 

With a foot in each of the privacy and security camps we increasingly find consultancy work we do for our clients are two sides of the same coin, whether it be helping them achieve SOC2 or ISO 27001 certification, or scope out risks for new software products through technical Data Privacy Impact Assessments (DPIA). 

Our own Jessica Figueras will be Chairing the Cyber Leaders Summit in London on 7th-8th April, which brings together senior cybersecurity professionals and experts from the industry.