— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —
Recently I’ve been doing a lot of work for Data Privacy at TOPdesk. Since May 2018 the GDPR is in effect, so our developers need to be aware of the consequences. Since I’m mostly a security guy, I was wondering about the differences and similarities between Data Security and Data Privacy. Do they have the same goal? Can you use the same approach? Or is there a trade-off?
First of all, both data security and data privacy have the goal of protecting personal and sensitive data. From high up, the goal seems to be the same. Data must only be available for the right people. It should never fall into the hands of the wrong people. But who are those right people? And who are those wrong people? That of course depends on the situation. In general people should only have access to data if it’s their data or if they are explicitly granted access by the owner or by law. Fortunately, the GDPR does help us a little here.
Data Security is about confidentiality, availability and integrity. It is about making sure we can provide the functionality we promise, while protecting the data. In the security domain we make sure that we can configure who gets access (and that there’s no way to circumvent it), while privacy is more about deciding who those people are. Security is also about availability, which means that no matter what, the end-user should be able to keep using the software and the data, even if hackers try to break it, e.g. with a DOS attack.
Data Privacy is mostly about appropriate use of data. More specifically, it’s about the appropriate use of data containing personally identifiable information (PII). If data can be used to identify a person, it suddenly becomes much more important that this data doesn’t fall into the hands of people who want to abuse it at the cost of that person. Data privacy assures that personal information is collected, processed, protected and destroyed legally and fairly. This is also much more vague than Data security, because it’s not always clear what fair means.
To ensure data privacy, you need to have a data security policy. Without confidentiality or integrity, there can be no privacy. On the other hand, a good security policy will never be enough to guarantee privacy. No matter how good your security is, it could never avoid leaking data if the company knowingly and willingly sells the data to the highest bidder. Fortunately, since May 2018 companies who do that are punished much more severe than before. But even if a data leak is not the intention, the GDPR forces companies to have their security up-to-date. If there is a data breach, and authorities find out that the company didn’t follow basic security principles, they can get a huge fine. This way both privacy and security benefit from the new GDPR legislation.