Over the past decade, public reactions to privacy breaches, such as the #DeleteFacebook trend sparked by the Cambridge Analytica scandal, have grown, with potentially financial, customer and reputational ramifications. As American billionaire, investor, and philanthropist Warren Buffett said, "It takes 20 years to build a reputation and five minutes to ruin it. If you think about it, you'll change the way you do things."
As organizations seek to understand their data privacy requirements and how they relate to data security programs, questions have been raised about integrating these activities through the collaboration of the chief information security officer (CISO) and chief privacy officer (CPO). These two roles have a common goal: to protect the organization's data. But their focus is different, CISO is responsible for protecting all information assets, and CPO is responsible for protecting the interests of organizational data subjects (such as customers, employees). But they can collaborate, for example in response to an information breach involving customer data using third-party applications. In such cases, both roles must work together to manage the incident, communicate with affected groups, and participate in post-incident review meetings to identify improvements to the third-party vendor's management plan.
The terms data security and data privacy are often used interchangeably; however, they are not the same. They all have unique applications and play key roles in protecting and controlling information assets. Businesses must understand the difference between data privacy and data security, why this distinction is important, and how to manage both concepts in an integrated manner for purposes such as protecting personal information.
Generally speaking, data privacy refers to the ability of individuals to determine for themselves when, how and to what extent their personal information, such as a person's name, location, contact information or behavior online or in the real world, is shared or communicated with others. Just as someone may wish to exclude others from private conversations, many online users wish to control or block the collection of certain types of personal data. To enforce data privacy, policies and procedures must comply with regulations (such as the EU General Data Protection Regulation [GDPR]) ensuring that the collection, use, sharing, storage and deletion of personally identifiable information (PII) is controlled and managed according to the data subject's preferences .
Data security, on the other hand, protects all information assets, including personal information, from various threats such as unauthorized access, improper use, or cyber-attacks through various preventive, detection, and corrective controls. Overall, it tries to ensure the triplet of Confidentiality, Integrity, and Availability (CIA).
Privacy and security have an interrelated relationship, as shown in Figure 1. Privacy defines how personal information is used and managed, while security is about implementing controls to protect that information from potential threats. A simple example of this relationship is a house where the windows are the security controls and the curtains are at the discretion of the homeowner for privacy.
Another example is when a person downloads a new application (App) on a smartphone, they need to agree to a privacy policy to use it, which details what information will be collected and how it will be used. Potential users of the App must decide whether to agree to these terms. In terms of security, the app is designed to protect the user's identity and data through various security controls to prevent unauthorized access and potential information leakage.
As mentioned earlier, data security and data privacy are two different but interrelated terms, and this also applies to the leadership positions responsible for these functional areas. When comparing the roles of CISOs and CPOs, there are differences in terms of educational background (e.g., IT versus legal/compliance), responsibilities (e.g., security operations versus privacy impact assessment), and reporting structures (e.g., CIO versus legal counsel). key difference. However, since both roles are responsible for securing an organization's data, there are potential synergies that can be realized through collaboration, such as:
Support an organization's data protection awareness and training efforts to create a culture of security awareness
Share information with each other about what data is collected within their respective business units and for what purpose
Train privacy teams on information security best practices to support privacy impact assessment efforts
Host a joint planning session to develop an information security roadmap that meets privacy requirements