All to often, when it comes to cloud risk, there is no clear distinction between data security and data privacy. Accordingly, they are often used synonymously or all-encompassing. As this post by Brian Anderson details, this is not the case. Data security comprises of concepts and instruments that are put in place to ensure that sensitive data is not accessed, modified or taken by unauthorised parties. Data security instruments are therefore data protocols, access level rights, firewalls and even antivirus software that picks up on trojans or key loggers that may enable a third, unauthorised person to access data that they should not. At the same time, data security ensures that the data is reliable, integer, available and confidential.
Distinct from that is the concept of data privacy that details the adequate use of sensitive data. Companies in the UK, for instance, are required to follow the Data Protection Act that requires companies to use sensitive data fairly and lawfully, for limited, specifically stated purposes, and in a way that is adequate, relevant and not excessive. At the same time, the information embodied in the data needs to be accurate, kept for no longer than is absolutely necessary, handled according to people’s data protection rights, kept safe and secure, and not transferred outside the UK without adequate protection. Therefore, data security protocols need to be in place to ensure the privacy of sensitive data, mostly customer-related data. Often, companies are criticised on how they treat the data they are supposed to protect. Facebook, for instance, has been heavily criticised (and even sued) for their data security protocols, impacting the data privacy of their users’ personal data.
To summarise the relationship between data security and data privacy, data security is the means to ensure data privacy. They are certainly not the same, but typically come together.