Data Protection v Data Security v Data Privacy

Data protection, security and privacy all play pivotal roles in keeping sensitive data safe, but they
each have their own goals and characteristics.

An organization's data is one of its most valuable assets and must be protected accordingly. Because
there are so many ways an organization's data could potentially be lost or compromised,
organizations must take a multifaceted approach to ensuring the well-being of their data. This
means focusing on three key areas: data protection, data security and data privacy.

Defining Data Protection, Data Security and Data Privacy

Although the terms are sometimes used interchangeably, there are several key differences among
data protection, data security and data privacy.

Data Protection

Data protection is the process of safeguarding important information from corruption, compromise
or loss.

Data protection centres around backup and recovery, although there are any number of data
protection tools available. Typically, an organization will designate a data protection officer who is
responsible for identifying the data that must be protected and designing a set of policies to ensure
the data can be recovered in the event that it's deleted, overwritten or corrupted.

In addition to ensuring an organization's data is backed up, data protection policies also protect data
in a way that aligns with the organization's service-level agreements, particularly regarding recovery
point objectives (RPOs) and recovery time objectives (RTOs).

The RPO is a metric referencing the frequency with which backups are created. The backup
frequency determines how much data could potentially be lost in a data loss event. If an
organization has an RPO of four hours, then the organization could potentially lose up to four hours'
worth of data because all the data that has been created since the most recent backup could
potentially be lost.

The RTO is a metric of how long it will take to restore a backup. Organizations define an RTO based
on how long they can afford for critical systems to be unavailable during a restore operation.
 What is Data Protection and Why Do You Need It?

Data Security

Data security is the defence of digital information against internal and external, malicious and
accidental threats. Although data security focuses specifically on keeping data secure, it also
incorporates infrastructure security -- it's difficult to adequately secure data if the underlying
infrastructure is insecure.

Organizations have adopted countless security measures and data security tools to guarantee data
security. One such example is multifactor authentication (MFA), which uses at least two different
mechanisms to verify a user's identity before granting access to the data. For example, an MFA
system might use a traditional username and password combined with a code that is sent to the
user's smart phone via text message.

Data Privacy

Data privacy, also called information privacy, is when an organization or individual must determine
what data in a computer system can be shared with third parties.

There are two main aspects to data privacy. The first is access control. A big part of ensuring data
privacy is determining who should have authorized access to the data and who shouldn't.

The second aspect of data privacy involves putting mechanisms into place that will prevent
unauthorized access to the data. Data encryption prevents data from being read by anyone who
does not have authorized access. There are also various data loss prevention features that are
designed to prevent unauthorized access, thereby ensuring data privacy. Such a mechanism might
be used to prevent a user from forwarding an email message containing sensitive information.
Data security refers to measures taken to protect the integrity of the data against manipulation and
malware, while privacy refers to controlling access to the data.

Key Differences

Although there is a degree of overlap between data protection, data security and data privacy, there
are key differences between the three.

Data Protection v Data Security

Data protection is very different from data security. Security is designed to thwart a malicious attack
against an organization's data and other IT resources, whereas data protection is designed to ensure
data can be restored if necessary.

Security is usually implemented through a defence-in-depth strategy, meaning that if an attacker

Data Security v Data Privacy

There is a strong degree of overlap between data privacy and data security. For example, encryption
helps ensure data privacy, but it could also be a data security tool.

The main difference between data security and data privacy is that privacy is about ensuring only
those who are authorized to access the data can do so. Data security is more about guarding against
malicious threats. If data is encrypted, that data is private, but it isn't necessarily secure. Encryption
alone isn't enough to prevent an attacker from deleting the data or using a different encryption
algorithm to render the data unreadable.

Data Privacy v Data Protection

Data privacy and data protection are two very different things. Data privacy is all about guarding the
data against unauthorized access, while data protection involves making sure an organization has a
way of restoring its data following a data loss event.

Despite these differences, data privacy and data protection are used together. Backup tapes are
commonly encrypted to prevent unauthorized access to the data stored on the tape.
Similarities And Overlap

As previously noted, there is a considerable degree of overlap between data protection, data
security and data privacy. This is especially true regarding regulatory compliance.

Compliance / Regulations

Regulations such as HIPAA, GDPR and the Payment Card Industry Data Security Standard seek to
protect data and to prevent the unauthorized disclosure of data by combining data protection, data
security and data privacy into a comprehensive data management strategy.

GDPR is a set of data privacy laws enacted by the EU to ensure consumer privacy. These laws force
organizations to disclose their data collection efforts and help ensure consumer privacy by giving
consumers the right to determine how their data can be used, while also imposing penalties upon
organizations for data breaches.

Of course, GDPR isn't the only data protection regulation. In the United States, healthcare providers
are subject to HIPAA regulations, which are also designed to ensure the safety and privacy of
personally identifiable healthcare data.

GDPR, HIPAA and similar regulations set up data privacy standards while outlining requirements that
organizations must put in place to ensure data protection and data security.

Tokenisation

Regulations such as GDPR and HIPAA focus heavily on ensuring the privacy of personally identifiable
data. One way in which organizations protect themselves, while also helping to ensure consumer
privacy, is by using tokenisation.

Tokenization involves removing personally identifiable information from data and replacing that
information with a data token. This token is usually a number or a random string of characters and
serves to separate the data from its subject. That way, if the data was leaked, there wouldn't be an
easy way for the recipient of that data to associate a data set with an individual consumer.