More often than not, information-security staff are responsible for security processes, but recently the titles of Data Privacy Engineer/Specialist are emerging. So why is this and what does it mean?
First off, what is the difference between confidential and secure data for business?
If we consider all of the different definitions out there, we can say that the confidential nature of data is about making sure personal information is secure and the legality of working carried out with it. Data security, on the other hand, is more about the measures that are implemented to protect all sensitive data in an organization.
When there’s a personal data breach, usually the business it happens to can get away with avoiding direct financial losses, excluding reputational losses and a drop in brand trust, as opposed to breaches in security systems or components in a company. Security processes and risk assessments are made without taking into account the losses or consequences that derive from public access to leaked personal data.
On the other hand, publication of personal data breaches containing names, emails, telephone numbers, etc. allow criminals to exploit personal information through fraud and identity theft leading to costs for the individuals (data subjects) concerned.
To counter this, the EU GDPR threatens companies with serious fines which potentially can run into the millions of dollars for a data breach that involves a leak of EU citizens’ personal data.
However, the regulation doesn’t punish organizations for breaches of other types of information.
To keep data secure and confidential, there are some general as well as independent guidelines:
Data security can be ensured using generally accepted principles, grouped together according to different domains of security (e.g. in the ISO2700x standards):
To ensure informational confidentiality, you need to adhere to requirements for existing security domains, in addition to perhaps having to create separate, independent domains.
Now let’s take a look at several of the additional domains.
Every employee that has access to personal data should have access not because it’s standard for their position in the company or because they are an administrator in the system and carry out support work. They should have access to this data because there is a real necessity to be able to access it as part of their work; should they not need to access personal data to carry out work functions, they should not have access.
If an employee, even one in the information security department, has excessive access to personal data which grants them the opportunity to see, copy, download, or otherwise PII from the system, ask yourself: why? If there is no real reason why and they don’t work with personal data then the fact that they have access breaches the data’s confidentiality. This brings about a real risk that the data could be accessed by unauthorized personnel.
Often there is a need to transfer data to third parties yet ensure:
But here the reason for transferring the data may be insufficient or non-existent, you may be giving excessive access to personal data, or you may have skipped checks on the third party to see whether they ensure the right level of protection for the data. If this happens and you have an incident, you will be in the wrong for not putting measures in place to keep the data confidential. This is because your actions lead to risks of the data being exposed or a personal data breach, even though — from a security point of view — you have all of the usual measures in place for non-PII data transfers.
Storage of PII can be in different formats, for example, it could be stored in Google sheets. Say you use Google Workspace company wide, set up all of the suggested security settings, but set sharing settings as open to all employees, including those that work with personal data. In this case, employees with access to personal data can share it (whether by accident or on purpose) with others within your company or even outside. Data shared could be a table with client personal data and this is yet another risk of breaching confidentiality requirements.
Another pretty popular wiki solution is Notion. Notion's enterprise tariff allows you to manage access rights, data sharing, and invites of external parties to your workspace. However, this isn’t a feature of the lower-priced tariffs.
This means that if you are using Notion and on any other tariff than the enterprise tariffs, there is a risk that one of your employees who works with personal data within this program could potentially cause a PII data breach.
PII that is stored or accidentally recorded to logs or your security solutions can also pose information security risks and poses a risk of data breach.
You can set aside a domain solely for processing PII. In this section, you can describe all of the reasons that employees, systems, etc. should have access to personal data and all of the data types and subjects that your company collects data on. Here you should also record and assess sufficient security measures regarding storage locations, data processing and transfer methods, the specific PII depending on the type and volume of the data.
You can also add the legal requirements for:
It is best to keep these in a data map.
If you really want to keep your data secure and confidential, you need to take into account that data security and data confidentiality mean different things. To work correctly with confidential data, you should look at it like a growing and developing area of information security, backed by requirements by regulators.
This is why the market has now began searching for specialists which don’t just know how to ensure data security, but also understand modern trends and developments in data privacy and understand the relevant laws and what they mean for work in information security.