Data Privacy vs. Data Security: Differences & How They Work Together
We explore the nuanced world of data management, with a focus on privacy and security. Learn what sets these concepts apart and why they are important now more than ever.
Scandals involving the misuse of personal data have frequented headlines in the past few years. In a world where data has been coined “the new oil,” cyber criminals have also cropped up to take advantage via tactics like phishing, Trojan Horse malware, and more.
When we talk about data protection, we often veer between two distinct but related topics: data privacy and data security. At first glance, these two things may seem the same, but they’re actually distinct levers for data protection.
What is data privacy?
Data privacy is the act of protecting information from unauthorized collection, storing, or sharing. It most often refers to digital data, especially personally identifiable information (PII). Data privacy is concerned with protecting an individual’s right to have a say in how their data is being collected and used.
Regulations and laws regarding data privacy have been around for decades, but they’ve continued to pick up steam in recent years. In 2018, the GDPR acted as a touchstone moment in the privacy landscape, setting a global precedent on how personal data should be processed and stored by the organizations that collect it. (Moreover, it gave individuals the ability to dictate how their personal data could be used.)
What is data security?
Data security refers to the safeguarding of customer data from those who wish to access or use it without permission (e.g., identity theft, cyberattacks). It involves techniques like data encryption, employee education on best practices (e.g., never downloading an email attachment from a suspicious or unknown entity), or regularly auditing systems to detect any vulnerabilities.
Data privacy vs. data security
While there is certainly overlap between data privacy and data security, the key thing to remember is:
Data privacy is concerned with how an individual’s data is collected, used, and stored – assuring compliance with applicable privacy laws and regulations.
Data security is focused on protecting data from cyberattacks or unauthorized users, and the threat of data theft, corruption, or breaches.
Best practices for data privacy
Protecting customer data isn’t a simple task. The regulatory landscape is changing rapidly, and generative AI’s popularity has dredged up concerns over how to protect personal data from sneaking into training models.
However, with the right infrastructure, permission controls, and internal policies, effective data privacy at scale is attainable. Here’s how to lay the right foundation.
Understand privacy regulations
Protecting customer privacy is both an ethical and legal matter. Understanding which laws and regulations you’re beholden to is essential – not just to stay compliant, but to secure trust with your customers. We’ve mentioned the GDPR, one of the most famous data privacy laws currently. And while the GDPR covers EU residents, it also applies to any business that has customers in that region (no matter where that company is based).
Here are just a few things to consider when trying to understand which privacy laws apply to your business.
Are you in a highly regulated industry like healthcare or finance, which have their own regulations? For instance, the Health Insurance Portability and Accountability Act of 1996 or HIPAA or the Gramm-Leach-Bliley Act.
Data residency laws. Are you required to collect, store, and process data in the region your customers are in?
Data resiliency. How prepared is your business to prevent or recover from an interruption like a system failure, cyberattack, or power outage? Here’s an excerpt of how Twilio handles resilience, from our Security policy:
18.1 Resilience. The hosting infrastructure for the Twilio Services and Segment Services (a) spans multiple fault-independent availability zones in geographic regions physically separated from one another and (b) is able to detect and route around issues experienced by hosts or even whole data centers in real time and employ orchestration tooling that has the ability to regenerate hosts, building them from the latest backup.
Interested in learning more? We compiled a list of 16 data privacy training courses worth checking out.
Obtain explicit consent from individuals
Customers own their data, including their name, email address, and cell phone number – and to use this data, you need their explicit permission. That means informing them of how their information will be used, and giving them the chance to agree and to opt-in.
At Segment, we created an open source Consent Manager to help automate the process of requesting user consent, storing user preferences on privacy, and updating these preferences at the user’s request.
Limit internal access to data
Even if you have to collect sensitive data (like credit card information, health records, etc.), not everyone in your organization should have access to it. To protect confidentiality and strengthen security, we recommend classifying data according to its level of risk (and there are ways to automate this). For example, someone’s social security number should be considered highly sensitive information, whereas their job title would be considerably less risky.
After classifying this data, businesses can then implement role-based access controls to control who has access and visibility into these different types of data. .
Best practices for data security
How can you ensure that data stays safe and away from prying eyes? Consider these must-dos for companies of every size.
Implement a comprehensive data security policy
You can’t make up data security as you go; having a clear, well-documented policy is essential. This data security policy often includes:
The specific certifications and attestations your business has (e.g., ISO 27001, SO2 Compliance, etc.). At Twilio’s Segment, our security framework is based on the ISO 27001 Information Security Management System with programs covering: Policies and Procedures, Asset Management, Access Management, Physical Security, Operations Security, Communications Security, Business Continuity Disaster Recovery Security, Cloud and Network Infrastructure Security, and more.
How you’re classifying data by risk level.
What controls are in place to limit who internally has access to data (e.g., principle of least privilege).
A plan of action in the event of a data breach or security incident. For instance, Twilio policies are in line with NIST SP 800-61 (the National Institute of Standards and Technology’s Computer Security and Incident Handling Guide).
Regular auditing of how data is handled and stored throughout its lifecycle, the systems, tools, hardware being used, current user permissions (and so forth) to ensure compliance.
Conduct regular risk assessments
Risk assessments are a key component of data security – when businesses assess potential threats or uncertainties and what impact they could have on the organization. Conducting a risk assessment is crucial from spotting potential weak spots before they’re taken advantage of by bad actors, and for having the proper plans and procedures in place should the worst case scenario occur.
For instance, a risk assessment could uncover that certain teams are storing passwords to specific apps and tools in a shared doc. After discovering this, a business could implement stronger security features, like single sign-on (SSO) or multi-factor authentication (MFA).
At Segment, we currently monitor sites like GitHub for orphaned or compromised API tokens, and revoke any tokens that become public. Customers then get a notification of this revocation, along with guidance on how to monitor for data security issues.
An email notification for when a Public API token has been publicly exposed, and automatically revoked.
Encrypt all sensitive data
Data should be encrypted both at rest and in transit to ensure its protection.
You can protect data as it’s being transmitted with the Transport Layer Security (TLS) protocol and use hash technology to hide passwords. Any tools or cloud providers should also use encryption at all levels.
For customers using Segment to send data to a warehouse (Redshift, Snowflake, etc.), your data will be stored inside the data warehouse that you own, manage, and secure.
Limit and monitor third-party access to data
In addition to limiting internal access to data and data tools, carefully consider how much data you allow your vendors and integrations to view or use. Many tools ask that you grant the maximum access by default. You can limit risk by reviewing each permission and only approving those necessary to do business.
Review these permissions regularly, revoking those that no longer make sense. If an app or integration hasn’t had a security update in a while, it may no longer fit your high threshold for vendors and may need to be replaced. Incorporate rigorous data privacy training for your employees so that team members know how data should be shared. This may include new generative AI apps, like ChatGPT, that may save customer data for future machine learning uses and not keep customer data private at all.
Interested in hearing more about how Segment can help you?
Connect with a Segment expert who can share more about what Segment can do for you.