These terms are often misused interchangeably because understanding the differences between data privacy vs. data security vs. data protection is challenging.
In this post, we’ll look at these three critical concepts in-depth and explore how businesses can better implement best practices to protect their interests.
Data Privacy Explained
With new data privacy laws popping up regularly to ensure websites and online businesses treat their users’ data ethically, it can be hard to keep up with definitions, regulations, and legislation.
We can define data privacy as the proper use and processing of personal data by restoring control over their data to individuals. Simply put, data privacy enables individuals to decide and limit access to the use and sharing of their personal data.
Protecting personal information ensures that the data is kept secure. This concept is where data privacy transitions to data security and protection.
Data Privacy Laws
If you’re a business owner with an online presence, you have probably heard about the numerous data privacy laws recently enacted worldwide.
The following are examples of laws that aim to protect users’ data privacy online:
- The EU’s General Data Protection Regulation (GDPR)
- Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
- The California Online Privacy Protection Act (CalOPPA)
- The California Consumer Privacy Act (CCPA)
- The Utah Consumer Privacy Act (UCPA)
How Data Security Affects Data Privacy
Most online businesses and websites collect personal data, from email addresses to phone numbers, credit cards, and log-in details. Ideally, these entities shouldn’t keep more information than is necessary, nor should they keep it longer than necessary.
However, you cannot operationalize data privacy without ensuring the security of data.
For example, if you fail to protect people’s credit card details against hackers and they get access to this data, they can sell it on the dark web. Therefore, data security is a prerequisite to data privacy.
What Is Data Security?
Like data privacy, the phrase “data security” is somewhat vague and not necessarily intuitive. This confusion is particularly true when comparing data privacy, data security, and data protection concepts.
Data security is the concept of protecting digital data from theft, corruption, or unauthorized access throughout its entire lifecycle of:
- Creation
- Storage
- Use
- Sharing
- Archiving
- Destruction
Data security involves everything from the physical security of the storage devices and hardware to administrative access controls and the security of software applications.
It also includes organizational policies and procedures.
Correctly implementing data security can protect your data from cybercriminal activities, insider threats, and human error.
Various tools and technologies help protect your data, including:
- Redaction of sensitive files
- Data masking
- Encryption
- Automated reporting
These tools can help keep your data secure while supporting you in other areas, like streamlining your audits and complying with regulatory requirements.
What Is Data Protection?
Once you have ensured appropriate data privacy and security, the next step is providing proper data protection.
There are two definitions for “Data protection,” narrow and broad:
- The narrow or more traditional definition of data protection: Maintaining data availability by way of backups so you can easily restore data
- The broader or more modern definition of data protection: It covers data availability, immutability, preservation, deletion/destruction, and “data privacy” and “data security.”
The more data you collect and store, the more important it becomes to create backups for your critical data. For many companies, the timeliness of implementing a backup is also essential.
Ideally, if you have lost critical data, you would want to replace it as soon as possible to avoid losing out on business during your downtime.
There are several ways to implement a data protection strategy, from using different storage devices to creating cloud backups and archiving.
Data Privacy vs. Data Security vs. Data Protection
Now that you have a solid understanding of the basic definitions of data privacy, data security, and data protection, let’s look at how these three interlinked topics compare, how they are linked, and how they operate in tandem.
Let’s start with a simple table to illustrate the differences between these concepts:
| Data Privacy | Data Security | Data Protection |
| Ensuring proper use of personal data by giving individuals control over how their data is accessed, used, or shared. | Protecting data against unauthorized access, use or destruction by implementing appropriate technical controls, mechanisms and procedures | Covers data availability, immutability, preservation, deletion/destruction, and “data privacy” and “data security.” |
Data Privacy vs. Data Security
To better understand these two ideas, let’s compare data privacy vs. data security.
Data privacy is the concept of ensuring proper use of personal data by giving individuals control over how their data is accessed, used, or shared. On the other hand, data security keeps that data safe from unauthorized access.
Example No. 1: Data Privacy
Example.com sells unique products via its eCommerce shop and it collects many pieces of data from its online shoppers such as:
- Email addresses and log-in details
- Shipping addresses
- Billing addresses
To ensure proper handling of personal data and to give individuals control over access to and sharing of their data, Example.com does the following:
- It allows its customers to unsubscribe from its email marketing&newletter list.
- It does not disclose its customers’ email addresses and purchases data to data brokers without getting its customers’ consent.
- It stores customers’ purchase information in accordance with data storage periods determined by applicable laws.
These efforts are all part of Example.com’s data privacy strategy.
Example No. 2: Data Security
The executives recently decided to update Example.com’s data security policy. As a result, they hired a data security analyst who brought to their attention that more staff members had access to shoppers’ information than was necessary — weakening the company’s overall data security.
After reviewing which staff members needed access to this information, they reduced the number of “need to know” players from 26 to only seven. In addition, they allowed an outlet for some other members to request access under special circumstances.
By reducing the number of staff members who could access shoppers’ data by nearly three-quarters, Example.com significantly strengthened its data security plan.
Data Privacy vs. Data Protection
Now, let’s compare the similarities and differences of data privacy vs. data protection.
Once again, data privacy is the concept of collecting, sharing, and storing as little data as possible. On the other hand, data protection refers to duplicating your data to restore it quickly if lost or damaged.
Consider example No. 1 above and compare that to how Example.com handled its data protection concerns in the following example.
Example No. 3: Data Protection
Example.com is a national company beginning to broaden its reach into the international market. However, a data protection analyst recently pointed out a potential issue.
Suppose Example.com’s shopper data were suddenly lost or destroyed by a cyberattack or human error. In that case, it could lose millions of dollars in revenue before its current data protection plan could restore the data to its former level.
Example.com’s executives weighed the costs of updating their plan against the benefits and decided it would be worthwhile to invest in the analyst’s suggestions to strengthen the data protection plan.
Some of the data protection analyst’s suggestions included:
- Running tests on data reinstatement speeds for different scenarios
- Creating cloud backups
- Updating the backed-up data regularly
Data Security vs. Data Protection
People often mix up data security and data protection because the two concepts sound so similar. This confusion is understandable, as many assume that protecting data is the same as keeping it secure.
However, these terms carry specific meanings that shouldn’t be confused.
Data security is the science of keeping your data safe from unauthorized access. Meanwhile, data protection focuses on replicating and protecting that data in the event of data loss or damage.
Compare example No. 2 to example No. 3 to see how Example.com updated its data security policy vs. its data protection plan. They focused on reducing internal access to shoppers’ data to improve its data security.
One reason is that sometimes malicious activity can come from within the company. Additionally, it reduces the chances of human error, which is linked to 95% of cybersecurity threats.
Tips for Data Best Practices
When it comes to data privacy vs. data security vs. data protection, it pays to stay on top of the industry’s ever-changing best practices. Here are some tips to help you stay on the cutting edge.
Tips for Data Privacy Best Practices
- Understand how your relevant regulations define personal information.
- Utilize proper consent management when collecting data.
- Store only essential information.
- Don’t store data longer than necessary.
- Understand individuals’ rights over their data under applicable laws and regulations. When individuals submit a request such as objecting to the sharing of their data, comply with such requests.
Tips for Data Security Best Practices
- Limit internal access to data.
- Encrypt your data.
- Don’t use public Wi-Fi connections on your business devices.
- Take extra precautions to guard against human error.
Tips for Data Protection Best Practices
- Back up essential data regularly.
- Consider sending backed-up data to the cloud.
- Consider backing up data in a different physical location from your company offices — a catastrophic event at your physical location could destroy both the original files and the backups.
Summary
Data privacy, data security, and data protection are key concepts that are worth understanding. And although they are all intrinsically linked to one another, they embody entirely different ideas and techniques.
Staying up to date on the best practices and updating your data policies can help keep you and your customers safe from cyberattacks and data leaks.
More about the author
Written by Ali Talip Pınarbaşı, CIPP/E, & LLM
Ali is a London-based Data Privacy Law Consultant with a Master of Laws Degree in EU Privacy law at King's College London. He has three years of experience in advising businesses on how to comply data protection laws. More about the author
