Privacy Management & Information Security - Two Sides of the Data Protection Coin
by Sypher | Published in Resources
Most organisations rightly view Information Security as mission-critical, while concerningly few view Privacy Management beyond a mere regulatory obligation. However, Privacy and Security are two sides of the same coin — Data Protection — and it pays to start thinking of them this way.
While Information Security (InfoSec) is thoroughly documented, proficiently applied, and well financed, Privacy Management has only recently shifted into focus — mainly because of GDPR — and, as a result, is not particularly well financed or implemented, as those (admittedly few) who have been handed hefty fines by Data Protection Authorities (DPAs) have found out.
This article makes the case for a more productive and efficient relationship between Privacy Management and Information Security Management, while keeping the two activities relatively compartmentalised and independent where needed.
Depending on your familiarity with some of the sub-topics, feel free to navigate the article according to your interests, by consulting this summary:
- Privacy is about people
- Privacy is activity centric
- Data-subject rights vs. organisation interests
The Information Security Perspective
- InfoSec is asset centric
- The 3 pillars of information security
Privacy Management + InfoSec = Data Protection
- The intersections of Privacy Management & InfoSec
- Better collaboration = increased efficiency
What Is Privacy Management?
Privacy Management is a set of activities focused on establishing and maintaining a system that ensures the rights of individuals are protected when an organisation processes personal data.
In a way, you can think of personal data as money.
When you entrust a bank with your money, the money is and always remains yours, and at any moment, you can decide to withdraw it. Also, the bank needs to take the necessary measures to protect it and follow specific regulations.
Similarly, when you entrust your personal data to an organisation in exchange for some benefits, the organisation can use the data according to a set of rules and you have the right to withdraw (delete) or update your data as you see fit.
In a nutshell, privacy management ensures that the organisation is prepared to protect personal data just like a financial institution protects their client’s money.
Privacy is about people
Because it primarily focuses on protecting the rights of the data subjects, in practice, Privacy Management is often compartmentalised and independent from Security Management and even IT Management, for that matter.
This is also why the Data Protection Officer (DPO) is normally prohibited from holding a leading managerial position within the organisation. One cannot both set the data-processing purposes and means, and also oversee their lawful compliance, as it would constitute a conflict of interests.
Privacy is activity centric
One common task of the privacy team is to create comprehensive records of processing activities (ROPA) with the ultimate purpose of analysing each activity in order to see whether the required lawfulness and security controls are in place.
The privacy team also checks whether the necessary documentation exists, offering the organisation the ability to demonstrate that it processes personal data lawfully and securely.
For some of the activities, deemed to present a high risk for data subjects rights and freedoms, a Data Processing Impact Assessment (DPIA) is required, which basically entails a more thorough analysis.
Data-subject rights vs. organisation interests
As initially stated, many organisations find Privacy Management tedious or they view it as a mere regulatory obligation. To address this problem, the intersection between the interests held by organisations and their data subjects’ interests is worth a closer look.
Data-subject rights and organisation interests overlap, at least up to a certain point. For example, both the organisation and the data subject want to make sure that unauthorised parties cannot access, delete, or modify their data.
However, there are areas where these interests differ. The data subject might not want an online store to hold on to their personal data after they’ve finished the ordering process, but the retailer might want (or have) to retain the data for further use.
Or, in some cases, the organisation might not care what happens to personal information that is no longer valuable to them, but for the data subject it might be a completely different story. If assets containing the personal data are not properly discarded, third parties might still use them to collect personal data and use it for nefarious purposes, such as identity theft.
The Information Security Perspective
InfoSec focuses on the protection of every information asset that the organisation deems valuable; naturally, this includes assets that encompass personal data.
Security is asset centric
Unlike the Privacy team, which looks primarily at data-processing activities, the InfoSec team is primarily focused on data-supporting assets to determine or establish:
- Risks and risk sources;
- Appropriate controls and actions against these risks;
- The policies, procedures, and guidelines required to establish and maintain security.
The 3 pillars of information security
Often referred to as the C-I-A triad, there are three crucial elements that must be addressed so that Information Security is achieved at a satisfactory level:
- Confidentiality — it prevents sensitive information and data from falling into the wrong hands, while ensuring access for the right personnel;
- Integrity — it maintains information and data consistency, accuracy, and trustworthiness;
- Availability — it ensures that the information is readily available.
Privacy Management + InfoSec = Data Protection
Data Protection is often used interchangeably with both Data Privacy and Information Security, so distinctions are in order. We use Data Protection as an umbrella term that encompasses both Privacy Management AND Information Security.
The intersections of Privacy & InfoSec
When it boils down to protecting data (of all sorts), the distinctions between Privacy and Security are remarkably clear:
- WHY we do them — We manage Privacy driven by regulatory requirements and Information Security because we choose to protect valuable data within the organisation
- FOCUS — InfoSec traditionally tends mostly to the organisation’s interests, while Privacy Management has the main duty towards protecting the data subjects’ right.
Nonetheless, there are also clear overlaps between Privacy and Security, in terms of:
- SCOPE — Personal information actually represents a big part of the larger body of valuable information that is typically in the scope of InfoSec;
- WHAT they actually do — They both manage the security of data processing (with distinctions in scope), and both departments care about the lawfulness of personal data processing when audited, since auditors usually are interested to see the data-protection big picture.
Better collaboration = increased efficiency
Since every organisation needs to ensure both the privacy and security of the personal information processed, it makes perfect sense to save time and increase operational efficiency by coordinating these activities and eliminating redundant work.
Although there is no “one-size-fits-all solution,” here are the things that we find to be useful when attempting to unify and streamline the Privacy Management and Information Security activities.
👉Correlate the records of processing activities (ROPA) & data supporting assets register
As there can be no data processing activity without data supporting assets, organisations should connect each data-processing activity with the relevant data-supporting assets instead of documenting each of them on separate flows.
The main benefits of doing this are:
- By looking at the underlying security information for the connected assets, the Privacy team can better understand which are the potential security risks for each relevant processing activity and how well they are managed.
- By acknowledging the risk severity of each activity, the InfoSec team can better understand which assets are used in important activities and prioritise the resources needed to protect these assets.
👉Avoid the department-specific jargon when collaborating, or at least be mindful of everyone’s level of knowledge.
👉Create a centralised risk & compliance information repository and implement a common plan for security and privacy initiatives.
This will not only help save time and work, by enabling both teams to reuse commonly available information, but it will also help identify potential gaps stemming from the different perspectives Privacy Management and InfoSec take when analysing compliance.
For example, as most of the data and information found within an organisation is digital, the InfoSec team generally uses various technical tools to find and classify it, but might find it hard to keep track of the physical documents flowing in and out of the organisation.
On the other hand, as the privacy team has a more people focused approach - frequently discussing with colleagues each department - they have the opportunity to discover these assets and bring them into the analysis flow.
Final Thoughts
We have explored the benefits of connecting the ROPA with the data-asset register and those of a centralised risk & compliance information repository.
However, beyond any procedures and foreseeable technical solutions, nothing beats common sense when building lasting collaborations.
So, here are the three thoughts with which we wish to leave you:
- Do your best to change perceptions — focusing on what Privacy Management and InfoSec have in common, instead of their differences, will make it easier to see the benefits of a shared approach.
- Build the bigger picture — this will help you identify the blind spots of each department, find out what each of them is doing best, and explore how they can both benefit from what the other department is doing.
- Stay aware of differences — last, but not least, know where to draw the line and acknowledge that some things are meant to stay separate, and it’s best if they stay this way, for both the data subjects rights and the interests of the organisation.
Did you find this article helpful? Stay tuned for more by 📌 following our Social Media pages and/or 👉 clicking the link below to subscribe to our Newsletter. We'll keep you up to date on topics such as Privacy Management, Information Security, and GDPR compliance.
