The terms privacy and information security are frequently confused. But how you as an organization should deal with these topics is not the same. Very briefly, privacy is about the proper use of personal data processed within an organization. Information security is about taking measures to protect the availability, confidentiality and integrity of information within an organization. Both are important to your organization, but it's good to understand the difference. Therefore, we list the main differences.
Privacy is only about personal data; information security encompasses all of an organization's data
Data that is directly or indirectly traceable to individuals is covered by privacy laws. But when a Security Officer thinks about information security, all the organization's data is meant. Information security policies cover financial data, e-mail addresses, customer data, product designs, etc. So the scope is more limited, but there is more covered by privacy than you often think. All data that can be traced back to an individual is covered by privacy.
Who prescribes what?
Privacy
Privacy is enshrined in legislation, the most important general privacy law being the AVG. The AVG contains regulations for companies and organizations in the EU on the processing (collection, storage, processing, etc.) of personal data. If you process personal data, setting up your privacy policy is wise for any organization in the Netherlands - large or small, business or government. In addition, the ISO27701 standard provides requirements and guidelines for setting up and improving your privacy information management system.
Information Security
Information security is laid down in standards, ISO 27001 being the best known of them. It is not obligatory to comply with it, but a means of demonstrating that you have your information security in order and that you are a reliable partner.
Privacy protects the people, information security protects the organization
Privacy
Privacy is about reducing risks that affect a person's rights and freedoms. For example, consider the following risks:
- Personal data ends up with people who shouldn't see it
- Personal data gets lost
- Personal information is incorrect
- Identity fraud
Privacy laws, such as the aforementioned AVG, outline the risks you, as an organization, must avoid or mitigate. Failure to do so can result in hefty fines.
Information Security
Instead, information security focuses on the interests of the organization itself. The purpose of the information security policy is to safeguard the continuity of the organization and to ensure that important information does not get out into the streets. The information security policy should also ensure that incidents, such as a phishing attack, are neatly resolved.
Transparent or secretive
Privacy
Imagine, you collect data from your customers. According to the AVG, you must be very clear about what you do with that data. Your job is to inform your customers about how their data will be used through a privacy notice and to ask for their consent if necessary with a consent form. These ways of communicating are required by the AVG so that everyone knows what is happening with their information.
Information Security
The foregoing is not a top priority in information security. They prefer not to provide too much information about security incidents because future attackers can use that information. Many IT security professionals know that secrecy is not always the best way to stay secure, yet their work often depends in part on it. For example, it is better not to reveal too much about exactly how the network is secured. Passwords and encryption keys, of course, should always be kept secret.
Conclusion
Clearly, both privacy and information security are important to your organization, but they have different goals and require different approaches. Privacy is about protecting personal data to ensure the rights and freedoms of individuals, and information security focuses on protecting important data within an organization to ensure the continuity and safety of business operations. Privacy and information security often go hand in hand, and by properly managing both aspects, you can not only meet legal requirements but also gain and maintain the trust of customers and partners.
Should you want to get started with privacy and/or information security and need help with that? Then our consultant are always at your service.
This article was written by Wilbert Hilhorst. Do you need help or have any questions? If so, please contact him without obligation.