The terms privacy and security have become commonplace in our society: we hear about them all the time in the news and other media, and also within our own corporate environments. The recurring theme is the advocacy for keeping systems and data secure, and the public notoriety gained when a large corporation fails to apply sufficient measures, and experiences a security incident or data breach.
It would be hard to find an individual who has not heard of legal regulations around data privacy or the need to keep their password secret from anybody but themselves. Likewise, most people have an opinion on the use of surveillance, facial recognition and the possibility for misuse, with detrimental impacts to our privacy.
Given the wide use of these terms and the fact they are often conflated, it becomes difficult to separate one from the other. The thing is, although they are related, privacy and security are fundamentally different.
To complicate the topic further, other terms are used as quasi-synonyms for privacy and security: data protection often replaces privacy in casual (and not so casual) conversation, whereas information security or cybersecurity take the place of security.
Without delving too long into the specifics, the European Data Protection Supervisor (EDPS) defines data protection as “protecting any information relating to an identified or identifiable natural (living) person”, aligned with the definition of personal data under GDPR.
Whereas information security deals with the protection of information assets (data and the systems where the data resides or is used for transmission), cybersecurity can be considered a subset, solely concerned with information in digital form (the most common nowadays).
The predominant aspects that make privacy and security distinct are summarized below:
In the world of semantics, the word 'privacy' is derived from the adjective 'private', which means 'a private or personal matter, a secret', plus the suffix '-cy', denoting quality or rank. This definition was given in 1590, from the old French word 'privauté'.
'Security', on the other hand, stems from the Latin 'securitas': 'free from care', also from the sixteenth century. Current definitions by the National Institute of Standards and Technology (NIST) have a varied mix of elements, in most cases listing the CIA triad: confidentiality, integrity, and availability.
In context, privacy is mostly associated with keeping data about individuals confidential and secret, as opposed to 'public'. This entails some level of security to prevent the data being disclosed to illegitimate persons or for unauthorized uses. For example, to keep private information secret, we might employ encryption. In this relationship, we have security as the means to protect privacy; privacy representing the element which has an intrinsic value. The purpose of security is to protect assets, including privacy, to the extent required by law or the organization's risk appetite.
Historically, 'privacy' has a long standing in European law, with a strong development during the 20th century, where the preservation of rights and freedoms were put on the agenda following global-scale conflicts. The most notable advancements are:
It is worth noting that over 130 countries have enacted laws with privacy in focus, and this figure is only expected to increase in the near future.
In security, the goals are well defined and narrow. Cyber laws and standards do not have privacy as their focus, for instance:
On the other hand, the GDPR and Privacy and Electronic Communications Regulations (PECR) have privacy as their reason for being.
The effects of an incident leading to lack of confidentiality with regard to privacy matters can be catastrophic for an individual, and largely subjective. By contrast, security, when applied to individuals and not organizations or the military, is typically associated with financial data. Thus, we have a qualitative versus quantitative risk difference, in overall terms.
How to define risk for your information assets
Moreover, privacy encompasses a larger spectrum of data, such as geolocation and cultural or social identity (GDPR Article 4.1), not traditionally covered by security to the same extent.
According to the GDPR, it is not sufficient to have technical and organizational measures in place; organizations must be able to show this with the principle of accountability (GDPR Article 5). Being accountable means being able to demonstrate having taken all of the precautionary measures conducive to becoming (and staying) compliant.
In a similar vain, transparency means privacy notices and cookie policies must be up to the standard required, stating how personal data is processed using clear language (not in difficult legalese and 'small print' in widespread use).
Security is concerned with being effective in the protection of assets, even if the entire set of operations is opaque. The closest to accountability would be keeping logs for non-repudiation.
Security is arguably the most clear cut of the two terms, which explains why it is easier to translate into quantitative risk. Likewise, ethical evaluations of security are simpler than those for privacy, given the extra dimensions and subjectivity of the individuals involved.
The GDPR seeks to ensure that the transfer of personal data occurs when the recipient, be it an organization or a country, provides a comparable level of protection for the personal data, avoiding 'blind spots' or weak points that could result in the data being compromised. This affects all 27 European Member States as well as the countries deemed to be adequate by the European Commission (14 at the time of writing), and others where Standard Contractual Clauses or Business Corporate Rules are in place.
By comparison, cyber-security laws are not so homogeneous across countries, resulting in 'safe havens' for cyber criminals, oftentimes where no extradition is possible.
Now that we have seen their differences, we can highlight the fact that they need each other if they are to succeed. This intersection can be found in many places, although a couple take the center stage, given their importance, namely:
This article requires data controllers and processors to 'implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk', and mentions 'confidentiality, integrity, and availability' as its core tenets.
A control in Annex A tackles privacy: A.18.4 'Privacy and protection of personally identifiable information', ensuring compliance with relevant legislation and regulation where applicable.
Privacy compliance for ISO: what you need to do
Both statements are fairly vague on purpose, serving as placeholders for security and privacy respectively.
Given the current state of affairs, and as technology becomes more pervasive, we have to share more of our data with third-parties, which process and store it in digital form. Think of all the data you share with organizations, in addition to all the data that is being collected from you whether you like it or not (e.g. CCTV footage).
People want privacy for your personal data, demanding that those who process it do so whilst meeting their legal obligations, and employ enough security, to minimize the likelihood and impact of incidents. There is a juxtaposition of privacy and security to achieve this end, and although intertwined, remain different.