2020 looks to be a busy year in data privacy. New laws and regulations will impose various requirements on organizations in every industry. These changes often have little regard to size or location.
When most people hear the term “data privacy,” their thoughts immediately turn to computers, hackers, identity theft, viruses, and malware. But privacy professionals are not necessarily security experts. And security experts do not necessarily understand data privacy.
To understand the difference between privacy and security, consider, for example, the information you might collect from your customers, your clients, or even your employees. On any given account, you may collect and “process” (i.e., “use”) personal information like names, addresses, phone numbers, or email addresses. You may collect commercial information like order history or product preferences. Perhaps you collect medical, employment, or educational information. And, through a website or mobile app, you likely collect information like IP addresses, geolocation information, browsing history, click history, and usernames.
From a security perspective, you may have an obligation to protect this information so that it doesn’t fall into the hands of a bad actor. Security is a business function driven by a need to avoid (or mitigate the results of) a data breach. But from a privacy perspective, you may have an obligation to disclose how you intend to use this information. You may also have to give the owner of that information (the customer, client, or employee) certain choices related to that use. That is, privacy is a business function driven by business need, internal policy, and applicable laws and regulations. No matter the business, your privacy obligations extend well beyond merely securing data.
The takeaway here? Your IT Department’s representation that your company data is “secure” is not enough to comply with data privacy requirements. As the saying goes in privacy circles: you can’t have privacy without security, but you can have security without privacy. In today’s environment, you need both.
Jeffrey A. May practices in the areas of general business law, intellectual property, and litigation with a focus on the increasingly important area of Cybersecurity and Data Privacy Law. He is credentialed as a Certified Information Privacy Professional/United States (CIPP/US). He has prior experience owning and operating a technology-based business. His experience and education allow him to assist clients with a wide range of business issues and litigation matters. Jeffrey helps clients identify and mitigate risks related to data security incidents and breaches, information technology policies and practices, and data sharing arrangements with third parties
Other posts to consider: