October 2016 | Thought Leadership
Although data privacy and data security are often used as synonyms, they are not interchangeable phrases or ideologies. They share more of a symbiotic type of relationship.
Privacy is personal and relates to the collection and use of personal data. It is the understanding between a customer and an organisation about what information will be collected and how it will be used. Consumers relay their personal data in exchange for services they want. For example, if a customer wanted to buy a book online, they understand that they have to provide the merchant with their name, address, and credit card information so the book can be paid for and delivered. They entrust their personal information with the understanding that the bookseller will not use their information for any other reason and assume the company will maintain the privacy of their personal data.
Security is impersonal. Security is not concerned with what is collected or how it is used, the protection of that personal data from unwanted intruders. In the case of the book shop, security would be the four walls, locked doors, and alarm system; or online it may include network protection, encryption, and authentication that only permit authorised individuals to access the personal information.
Although intertwined, it is crucial that privacy and security are addressed separately with different policies and processes. If a company doesn’t have security in place to protect personal data, then its privacy policies will be meaningless because it won’t be able to prevent the unauthorized access to data. Conversely, if a company doesn’t have a clear understanding of what data it collects and how it will use it, then it will be impossible to provide true security.
Privacy legislation is also different across international borders, with the US, EU and Australia all having different laws that govern the collection and use of private information. And in today’s global economy, it is important to be compliant with the laws of the country in which you are serving. The recent provision of the Australian Privacy Principles and European Privacy Shield demonstrates how serious the law makers are about defending privacy. Companies need to enact a data security policy for the sole purpose of ensuring data privacy of their consumers’ information. More so, companies must ensure data privacy because the information is a trusted asset to the company. A data security policy can be viewed as simply the means to the desired end, which is data privacy.
Risk & Mitigation
Making sure all company data is private and being used properly can be a near-impossible task that involves multiple layers of security. Fortunately, with the right people, process and technology, you can support your company’s data security policy through continual monitoring and visibility into every access point.
Organizations are using cloud computing to perform increasingly strategic and mission critical functions. At the same time, companies are facing pressures and challenges to protect information assets belonging to their customers. Unsurprisingly security, privacy and availability are among the topmost concerns in their cloud adoption decisions rather than the total cost of ownership.
It is likely that your company is processing, storing, or transmitting data that’s subject to regulatory and compliance requirements. Your choice of cloud deployment (whether private, hybrid or public) hinges on an understanding that the provider is fully compliant, otherwise you run the risk of violating privacy, regulatory or other legal requirements. Concerns about privacy and control over data are often cited as the major impediments to the growth of cloud and its adoption by both business and government in Australia. And it’s easy to understand why – moving to the cloud means relinquishing a degree of physical control over your IT infrastructure and relying, in part, on your cloud vendor to ensure that your information is kept private and secure. It is important to note that if your data is stored in offshore locations, those locations may or may not be in countries that have privacy laws which are the same or similar to those in Australia.
However, contrary to popular perception, cloud computing services are not incompatible with Australia’s privacy laws. In general, cloud computing does not raise legal issues that are new or even dissimilar to issues that have arisen in respect of other IT services (such as in the outsourcing and offshoring models). In relation to other IT services, the issues have been successfully managed by prepared and well-advised businesses.
Benefits of Cloud
Cloud computing can be a blessing from a security standpoint. For organisations that lack echnological and human resources to focus on security, cloud can provide low-cost, high level security to your computing requirements. Privacy of data can also benefit with out-of-the-box tested solutions for baseline compliance such as user identity, access management, data protection and incident response.
Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the “physical, logical and personnel controls” IT shops exert over in-house programs. Get as much information as you can about the people who manage your data. Cloud providers should supply specific information on the hiring and oversight of privileged administrators, and the controls and footprint logging for access to your data.
Customers must demand transparency, avoiding cloud vendors that refuse to provide detailed information on security programs. Ask questions related to the qualifications of policy makers, architects, coders and operators. Be aware of the vendor’s risk-control processes and technical mechanisms, and find out the level of testing that’s been done to verify that service and control processes are functioning as intended.
When you use cloud computing, you probably won’t know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ideally a locally manned, secure data centre is your preferred option as they will always be treated under Australian law for Australian consumers and businesses. However no matter where the data is physically located, ensure your provider will commit to storing and processing data in accordance with Australian privacy requirements.
The final point to consider with privacy and security, and this crosses both categories, is data segregation. Data in the cloud can be in a shared environment alongside data from other businesses. Encryption can be effective to keep your data secure but isn’t a cure-all. Ensure your sensitive data is on dedicated equipment, and map your specific compliance and privacy requirements to your cloud providers controls to maintain privacy and security of the data from internal and external threats.
Although closely related, data privacy and data security are fundamentally different. It is important to understand these differences and how processes, policies and legal requirements also differ for each. This is particularly important in a cloud computing environment given that your data may be in someone else’s hands.
It is critical to understand the risks and what to ask and expect of your cloud provider to ensure your data remains secure and private and that your organisation remains trusted by your customers.
Read the article: Privacy vs Security