Comparing data protection vs. data security vs. data privacy
Data protection, security and privacy all play pivotal roles in keeping sensitive data safe, but they each have their own goals and characteristics.
An organization's data is one of its most valuable assets and must be protected accordingly. Because there are so many ways an organization's data could potentially be lost or compromised, organizations must take a multifaceted approach to ensuring the well-being of their data. This means focusing on three key areas: data protection, data security and data privacy.
Defining data protection vs. data security vs. data privacy
Although the terms are sometimes used interchangeably, there are several key differences among data protection, data security and data privacy.
Data protection
Data protection is the process of safeguarding important information from corruption, compromise or loss.
Data protection centers around backup and recovery, although there are any number of data protection tools available. Typically, an organization will designate a data protection officer who is responsible for identifying the data that must be protected and designing a set of policies to ensure the data can be recovered in the event that it's deleted, overwritten or corrupted.
In addition to ensuring an organization's data is backed up, data protection policies also protect data in a way that aligns with the organization's service-level agreements, particularly regarding recovery point objectives (RPOs) and recovery time objectives (RTOs).
The RPO is a metric referencing the frequency with which backups are created. The backup frequency determines how much data could potentially be lost in a data loss event. If an organization has an RPO of four hours, then the organization could potentially lose up to four hours' worth of data because all the data that has been created since the most recent backup could potentially be lost.
This article is part of
What is data protection and why is it important?
The RTO is a metric of how long it will take to restore a backup. Organizations define an RTO based on how long they can afford for critical systems to be unavailable during a restore operation.
Data security
Data security is the defense of digital information against internal and external, malicious and accidental threats. Although data security focuses specifically on keeping data secure, it also incorporates infrastructure security -- it's difficult to adequately secure data if the underlying infrastructure is insecure.
Organizations have adopted countless security measures and data security tools to guarantee data security. One such example is multifactor authentication (MFA), which uses at least two different mechanisms to verify a user's identity before granting access to the data. For example, an MFA system might use a traditional username and password combined with a code that is sent to the user's smart phone via text message.
Data privacy
Data privacy, also called information privacy, is when an organization or individual must determine what data in a computer system can be shared with third parties.
There are two main aspects to data privacy. The first is access control. A big part of ensuring data privacy is determining who should have authorized access to the data and who shouldn't.
The second aspect of data privacy involves putting mechanisms into place that will prevent unauthorized access to the data. Data encryption prevents data from being read by anyone who does not have authorized access. There are also various data loss prevention features that are designed to prevent unauthorized access, thereby ensuring data privacy. Such a mechanism might be used to prevent a user from forwarding an email message containing sensitive information.
Key differences
Although there is a degree of overlap between data protection, data security and data privacy, there are key differences between the three.
Data protection vs. data security
Data protection is very different from data security. Security is designed to thwart a malicious attack against an organization's data and other IT resources, whereas data protection is designed to ensure data can be restored if necessary.
Security is usually implemented through a defense-in-depth strategy, meaning that if an attacker breaches one of the organization's defenses, then there are other barriers in place to prevent access to the data. Data protection can be thought of as the last line of defense in this strategy. If a ransomware attack were to successfully encrypt an organization's data, then a backup application can be used to recover from the attack and get all of the organization's data back.
Data security vs. data privacy
There is a strong degree of overlap between data privacy and data security. For example, encryption helps ensure data privacy, but it could also be a data security tool.
The main difference between data security and data privacy is that privacy is about ensuring only those who are authorized to access the data can do so. Data security is more about guarding against malicious threats. If data is encrypted, that data is private, but it isn't necessarily secure. Encryption alone isn't enough to prevent an attacker from deleting the data or using a different encryption algorithm to render the data unreadable.
Data privacy vs. data protection
Data privacy and data protection are two very different things. Data privacy is all about guarding the data against unauthorized access, while data protection involves making sure an organization has a way of restoring its data following a data loss event.
Despite these differences, data privacy and data protection are used together. Backup tapes are commonly encrypted to prevent unauthorized access to the data stored on the tape.
Similarities and overlap
As previously noted, there is a considerable degree of overlap between data protection, data security and data privacy. This is especially true regarding regulatory compliance.
Compliance/regulations
Regulations such as HIPAA, GDPR and the Payment Card Industry Data Security Standard seek to protect data and to prevent the unauthorized disclosure of data by combining data protection, data security and data privacy into a comprehensive data management strategy.
GDPR is a set of data privacy laws enacted by the EU to ensure consumer privacy. These laws force organizations to disclose their data collection efforts and help ensure consumer privacy by giving consumers the right to determine how their data can be used, while also imposing penalties upon organizations for data breaches.
Of course, GDPR isn't the only data protection regulation. In the United States, healthcare providers are subject to HIPAA regulations, which are also designed to ensure the safety and privacy of personally identifiable healthcare data.
GDPR, HIPAA and similar regulations set up data privacy standards while outlining requirements that organizations must put in place to ensure data protection and data security.
Tokenization
Regulations such as GDPR and HIPAA focus heavily on ensuring the privacy of personally identifiable data. One way in which organizations protect themselves, while also helping to ensure consumer privacy, is by using tokenization.
Tokenization involves removing personally identifiable information from data and replacing that information with a data token. This token is usually a number or a random string of characters and serves to separate the data from its subject. That way, if the data was leaked, there wouldn't be an easy way for the recipient of that data to associate a data set with an individual consumer.
