Data privacy has been in the news a lot recently, but what exactly is it? And what’s the difference between data privacy and the better known field of data security?
One way of thinking about the two is in terms of their goals. For some time there have been three widely adopted goals for data security, known as the CIA Triad: confidentiality, integrity, and availability. These goals helped to move from ‘security’ as a more abstract concept to one which could be measured, allowing systems to be evaluated and compared. In a similar vein, the US National Institute of Standards and Technology (NIST) has published similar goals for data privacy: predictability, manageability, and disassociability. It’s worth mentioning that the European Union Agency for Cybersecurity (ENISA) also published three goals for data privacy, but we’ll focus on NIST here as their work in the space is more widely known and their goals broadly overlap with the earlier ENISA goals.
A comprehensive data strategy enables us to layer data security and data privacy tools to achieve both sets of goals. Imagine that we want to transmit sensitive data to be processed. Encryption in transit or at rest, a data security tool, can help to maintain data confidentiality when data is moved or stored as an attacker who intercepts the transmission or accesses the data would be unable to read the encrypted data. However, the intended recipient who is authorised to access the data would need to decrypt the data in order to process it. Here, data privacy tools like de-identification achieve the goal of disassociability - protecting the data subject. Even if the authorised individual accessing the data misuses it, maliciously or by accident, the identity of those in the dataset is still protected. In this way data security and data privacy are complementary, and a comprehensive data protection strategy requires both.
Factors Driving Interest in Data Privacy
Public Concern over Privacy
There are many factors driving the current interest in data privacy. One factor is a growing concern over privacy issues from the public, lawmakers and regulators. Regulations, such as GDPR and CCPA, require or strongly incentivise data to be de-identified whenever possible.
Increased Pressure to Innovate
A second factor is the increased pressure on organisations to innovate with their data, which often requires them to distribute datasets internally, move to the cloud, or share data with partners, which can come with new risks not addressed by traditional data security. New privacy enhancing technologies, such as homomorphic encryption, which allows processing on encrypted data, can allow organisations to work together and share insights without revealing their raw data.
Breakthroughs in Data Privacy
And third, recent years have seen numerous breakthroughs in the field of data privacy that offer new opportunities to mitigate privacy risk whilst innovating with data. One example is Data watermarking, where a pattern is inserted into the data itself. This allows organisations to attach metadata directly to the data, stating why a dataset was created, by whom and how it is to be used, and when it should be deleted. If the data is then found outside of those parameters, the watermark can help the organization to identify that something has gone wrong and trace back to the person or group responsible. This helps ensure policies are being upheld, helps organizations respond faster to breaches, acts as a deterrent for those using protected data, and supports the goal of predictability. Another example is the new field of differential privacy, which has been getting a lot of attention in the research community as it provides a way of provably limiting what can be learnt about an individual if there data is included in a release.
A few months ago the Singapore Government announced 13 measures to protect citizens data and avoid future privacy breaches. They included well known data security techniques, such as password protection and encryption, as well as tokenisation and digital watermarking. Its this kind of comprehensive and layered approach that we believe is the future of effective data protection.
Ultimately security is necessary, but on its own is not sufficient to protect data. For a modern and comprehensive enterprise data protection strategy, one also needs a comprehensive suite of data privacy tools.