Data privacy is an established discipline which deals with the protection of people’s personal information, to protect the individuals themselves. Information about people’s ethnicity, religion, gender, political affiliations, nationality, diseases, physical disabilities, age, and other things, can be used to unfairly target or persecute people. Information related to a person’s financial status, workplace, place of residence, banking information, national identifiers, and biometric information can also be used to perform ID theft and other crimes against persons. Data privacy regulations thus try to influence how such information is collected, protected, shared, and disposed of. Data privacy is a practice heavily reliant on laws and regulations, and as such has traditionally been championed by legal practitioners.
Data security (which can be considered to be essentially the data aspect of Information Security), on the other hand, relates to the protection of data. Particularly, it deals with the confidentiality, integrity, and availability of data. This may involve several types of information, including financial, business, scientific, military, judicial, marketing, intellectual property, technical, academic, health information, or entertainment. Information security is also an established discipline and is heavily reliant on information security practices. It has traditionally been championed by information security and risk management professionals.
As more personal data is kept in electronic format (as opposed to being kept on paper), and more of the data in being frequently exchanged over geographical boundaries with different types of legislative and regulatory protections, technical methods are becoming more necessary to protect privacy. Furthermore, as more and more organisations use the cloud to store and process data (some of which may be personal data), we may not always know through what legal jurisdiction data travels, or what protections may be in place by cloud services providers. Technical (IT) controls are then more necessary to protect personal data.
Today, privacy professionals realise that the technical controls long used by data protection professionals are critical to their success. At the same time, information security professionals are realising that while they are protecting their data, if some of the data falls into the category of personal information (which is more often than not the case), their protections should properly cater for the ever-increasing compliance requirements related to that data. If we consider a bank, credit union, insurance company, national insurance office, a school, a university, a department store, or a hospital, we see that while personal protection may not be their core business, they must collect tons of personal information from clients and customers, which then need to be adequately protected. Even if such organisations aren’t that concerned about the personal data which they collect, they certainly should be cognizant of the massive regulatory fines which they may have to pay for not complying with privacy regulations.
The International Association of Privacy Professionals (IAPP), one of the best-known international privacy associations, a few years ago created a certification with technical experts in mind, its Certified Information Privacy Technologist (CIPT) CIPT says “Data protection authorities around the globe are enforcing regulations that mandate how data can be captured, stored and used. This makes technology, data and other professionals with dual literacy in both privacy and technology essential components to ensure operations meet privacy goals and mitigate risks.” ISACA, one of the world’s leading international professional information security associations which had a number of top-level information security certifications, introduced a data privacy certification a few years ago – the Certified Data Privacy Solutions Engineer (CDPSE). According to ISACA, “CDPSE holders help fill the technical privacy skills gap so that your organization has competent privacy technologists to build and implement solutions that mitigate risk and enhance efficiency.” Apparently, these two associations realize that there is common ground for data privacy and information security to serve their organisations.
Information security professionals who are supporting projects today need to consider the privacy aspect, and as such may need to ensure that a Data Privacy Impact Assessment (DPIA) is performed by data privacy professionals. Likewise, data privacy professionals working on large projects need to ensure that standard information measures are put in place by the information security team, such a data classification, backup & recovery, Data Leak Protection (DLP), incident response, access controls, audit logging, and data encryption. One may even argue that today Data Privacy Officers (who oversee data privacy in an organization) and Data Commissioners (who oversee data privacy in a legal jurisdiction) need to be au fait with certain aspects of information security, to be able to understand how well personal data is being protected in an organization. While information security professionals need not be anything sort of legal experts, knowledge of data privacy regulations in the jurisdictions where their data is stored or processed would certainly go a long way in helping them to implement adequate controls to protect their data and avoid running afoul of regulators.
Recently a local financial institution placed an ad in a local paper for a “cyber security & data protection officer”. While these two roles are usually separate and distinct, this ad may signal that organisations are starting to see these roles as more similar than they were traditionally thought to be. While I personally see merit in keeping such roles separate so that each can properly focus on their areas of responsibility (and the appearance of conflict of interest doesn’t occur) I can well imagine that more ads like these may eventually not cause many to raise their eyebrows.
About the Author:
David Gittens MSc, CISSP, CISA, CISM, CDPSE, AMBCI, HISP, CRISC, GDPR F, CCSP is a seasoned information security consultant who has spent many years performing consulting and risk management services for regional and international financial institutions, as well as providing advisory services to government institutions in the area of information security. He holds several information security and data privacy certifications. He is a member of the ISSA Barbados chapter, which is the first and only information security association in the country.