The differences between data privacy and data security
When we talk about data privacy and security, there is no doubt that, over the last few years, people have taken a greater interest in who has access to their data and how people use it.
Even though data breaches are happening with disturbing regularity, they still make headline news, according to Saeed Ahmad, Managing Director, Middle East, and North Africa, Callsign.
The existence of legislative measures and the actions of agencies means that the fines officials impose on the organizations that allow breaches to happen also make the news.
But we can do better to raise consumer awareness around data privacy. Not just in terms of the measures they can take, but the very definition – and how it’s different from data security.
That’s an important priority because we use the two terms interchangeably all too often. And while they are interlinked, it’s critical to understand the difference. Simply put, security is all about putting walls around your data and protecting it. Privacy is controlling who can then access your data within those walls.
The UAE has introduced and amended an array of laws to upgrade its legal system and bring them in line with best practices and international standards too. Amongst the more notable legislative changes it introduced are the UAE’s first standalone Federal Decree, Law 45 of 2021, concerning data protection, called Data Protection Law.
In the event of a data breach, the Data Protection Law requires the controller to notify data subjects if the breach is likely to be “high risk” to the relevant individuals’ rights and freedoms. However, it does not specify what constitutes high risk or set out the relevant threshold.
Addressing the challenges
As digitalization increases, and individuals place more importance on data privacy and security, it raises challenges for businesses. That’s because consumers expect the very highest levels of security and governance around their data. Still, they demand more control over their personal information.
This goes beyond simply setting and controlling access levels. Businesses must understand what personal data they are holding, and its value. For their customers, that value will be very high, given that it represents their digital identities.
And it also extends to the manner of data collection: it’s not enough to assume that it’s for marketing purposes. If a business is remiss in getting informed consent from the user, it may violate data privacy requirements, even though the actual data security is watertight.
The cost of getting it wrong
What happens when data privacy goes awry? A business in this situation could indeed find itself in a very difficult situation. Officials worldwide hit businesses with astonishingly high fines for data violations.
The extent of the fines imposed reflects the seriousness of the problem. For the business, that’s expensive. And of course, the money aspect is only one part of the problem. Digital trust is critical for any business looking to attract and retain customers. It’s hard won and easily lost. And few things can damage an organization’s reputation and credibility as much as a data breach or a highly publicized case of data privacy violation.
Changing the viewpoint
Those caveats should be reason enough for any business to get its house in order. But there is limited mileage in adopting a purely reactive stance. What we really need is a proactive approach – a mindset shift in the perceptions around customer data.
It’s easy to view privacy as a necessary inconvenience, a regulation to abide by, but the danger here is that the understanding of privacy can tail off at the point of data collection. Businesses need to take the critical step of holding themselves accountable for the protection of ever-increasing amounts of personal data they store for their customers.
Privacy under the microscope
One of the first questions that any customer asks after a case of ATO is ‘How did they get my data?’ And it’s a valid question. All too often, the subsequent investigations find that data breaches were avoidable.
So, for businesses, the pressure is increasing to ensure that they get data privacy right the first time and every time. For many, that is going to entail fundamentally altering their current privacy strategies and baking them into all their products and services.
And it’s important to remember that this must happen alongside maintaining robust data security; once again, this is not an either/or situation.
It’s not without its challenges, but the payoffs are clear. As well as closing off attack vectors for ATO, it also firms up an organization’s defense against a huge range of malicious activity.
And for any business, it’s the building block of that elusive digital trust that will ensure consumers feel confident using products and services.