Is security the same as privacy?
If you’ve been wondering about it, you’ve come to the right place. We’re here to answer your questions.
And the short answer is no. Despite being used somewhat interchangeably, “security” and “privacy” are different concepts relating to different facets of data protection.
The purpose of security is to protect data from external threats. The purpose of privacy is to ensure fair treatment of personal data.
Said otherwise, security is about safeguarding the data itself; privacy is about protecting the natural person(s) the data refers to.
Confused? Keep reading. We’ll break it down for you.
Security vs. Privacy: What is Security?
Imagine being the director of a bank. A client entrusts you with a family heirloom: a diamond necklace.
Obviously, you want to keep the necklace safe and ready for your client to use, should they need it. You have to ensure the necklace isn’t damaged, destroyed, or stolen.
To this end, you set up a number of protective measures. First, you keep the necklace in a bulletproof and fire-resistant safe that will remain intact even in an earthquake.
Second, no one can access the necklace without authorization. Only a few trusted employees can get near it, and only when you tell them to. Even your client, the owner of the necklace, has to have their identity verified when they come to collect it.
These are security measures. They protect the necklace from both external threats (thieves) and natural ones (earthquakes, fires).
Security is About Protecting The Data Itself.
The principle remains the same when we move from material objects to data. Security is about ensuring the data isn’t lost, damaged, or stolen. It’s about maintaining its confidentiality and its integrity.
Examples of security measures include firewalls, tokenization, encryption, or two-factor authentication.
Of course, this list is not exhaustive, nor can it be: as technology evolves, hackers become more sophisticated, and perfectly sound protocols must be revised and updated. But you get the picture: security measures are the ones that protect your data from external threats.
Keep in mind that these threats don’t have to be directly caused by humans.
To get back to our example, if the necklace gets destroyed in a fire, the bank director has failed to guarantee its security. Similarly, if the data you’re managing gets damaged or is no longer available (for example, because fire destroys your data center), you’ve failed to ensure its security. Backups are a security measure, not a privacy-related one.
Which brings us to the next point.
Security vs Privacy: What is Privacy?
Let’s get back to our example. The precious necklace. A fascinating piece of art. So fascinating that you start wondering.
What if you had it photographed for a book about the bank? What if you lent it to an exhibit? Heck, what if you wore it to a party? After all, in none of these scenarios would the necklace suffer any damage. Its security wouldn’t be affected.
But what about your client’s reasonable expectations?
They entrusted you with the heirloom for one purpose and one purpose only: safekeeping. They never authorized you to do anything else. They might not want you to move their precious necklace around because doing so increases the risk that the jewel will be damaged or stolen by third parties. They might not even want you to photograph the necklace because they are not OK with other people knowing they own it. It’s a family matter—a private one.
Privacy is about respecting people’s right not to share their personal information without their consent. It’s about treating this information with care and respect. It’s about processing it only if authorized and only within the limits the natural person agreed to.
Privacy is About Protecting the Individuals the Data Refers To
Even if a piece of information doesn’t get lost, damaged, or stolen, it can still be processed in a way that’s inconsistent with the expectations and rights of the person to whom the data belong.
(Think about it. No respectable bank director would ever dream of taking a jewel out of the safe and having it paraded around, lent out, or used in a way that’s not consistent with their client’s wishes. Can you say the same level of stringency applies when we talk about personal data?)
Privacy measures ensure that such individuals retain a degree of control over their data. Examples include:
- Asking for consent before collecting personal data.
- Clearly stating the purpose of processing.
- Keeping records of consent.
Again, the list is not exhaustive: it will vary depending on several factors, including where you operate and which pieces of legislation are in force (for example, do privacy regulations such as the GDPR apply to you?).
Security vs Privacy: Two Faces of The Same Coin
Even though security and privacy cover different aspects of data security, they are interconnected. When it comes to personal data, it’s tough to guarantee the former without the latter and vice versa.
If your security measures aren’t up-to-date, hackers and cybercriminals can access the data your organization processes and jeopardize the privacy of your clients and employees.
Conversely, the more a piece of information circulates, the more it will attract undue attention. Maintaining a high standard when processing personal data not only ensures that the data subjects’ privacy is protected but also reduces the risk of external interference.