Skip to content

There Is No Privacy Without Security

Business

Jan 28, 2021 - 5 minute read

1400 Blog Post There Is No Privacy Without Security 416X300
Beata Winczaszek Quality Expert, Personal Data Protection

She has been working for Objectivity since 2018 – first as a Quality Expert and today as Quality Expert and Personal Data Protection Specialist. She is a great enthusiast of building GDPR awareness. After hours, fascinated with the history of Polish mountaineering in the Himalayas. 

See all Beata's posts

2988 HC Digital Transformation 476X381

Share

What’s the Difference Between Privacy and Security?

It’s already over two years after GDPR’s implementation, and there's still plenty of work to be done on privacy and data protection awareness. That’s why any occasion is worth using to discuss and explain GDPR. I believe that 28 January — the Data Protection Day is just one of those occasions. As in previous years, we celebrate the Data Protection Day at Objectivity, giving our colleagues an opportunity to ask questions, and to talk about privacy.

In my previous posts, I discussed:

In 2021, we celebrate the Data Protection Day with the motto: There is no privacy without security and below, I will explain why. But just before that, let’s start by describing what privacy and security mean when we’re considering personal data.

Privacy is the right of a person or a group to seclude a part, or the entirety of information about themselves. This gives them the control over how they express themselves, and how their personal data is being used. So in that understanding, privacy is all about respect. I expect my data to be treated fairly and with respect. Why? Because data has value.

Meanwhile, data security all about preventing the loss and destruction of data as well as about protecting it from unauthorised access. According to the CIA triad of information security, it’s ensuring data Confidentiality, Integrity and Availability.

How Can GDPR Help Us Ensure Our Privacy?

GDPR protects the rights and freedoms of natural persons. One of them is the right to the protection of personal data. It’s done by setting clear rules on how data should be treated. We call them key principles (Art. 5 of GDPR). A large portion of the responsibility falls on the data controller. It’s the legal person or organisation that determines the scope and the purpose of data processing. Let’s discuss these principles one by one.

  • Lawfulness, fairness and transparency. Lawfulness means that the data controller needs to define a proper legal basis for personal data processing according to Art. 6 of GDPR. There are six possibilities:
    • consent,
    • contract,
    • legal obligation,
    • vital interest of the data subject or another natural person,
    • public interest,
    • legitimate interests of the controller or a third party.

According to GDPR: “It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed.” But in my opinion, transparency is even more important. Recital 39 of GDPR is not only about the availability of the information and how the personal data is processed. It also says that “transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.” This approach is crucial as it gives people the chance to make truly informed decisions. Therefore, the controller shall ensure that the message is aligned with the following:

- It’s clear, comprehensible, and "friendly" for the recipient.
- There’s a mechanism implemented for informing people about the processing of their data.
- There’s a mechanism implemented for informing people about significant changes in the processing their data.

  • Purpose limitation means in practice that data processing is always strictly connected to its purpose, and should stop when there’s no longer any legal basis and purpose. It also requires the data to be adequate and relevant to the purpose. This rule was implemented to prevent the desire for excessive data collection. “Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means”. In practice, the controller needs to comply with the following:
    • Collected data is sufficient for the specified purpose.
    • Data is adequate for the intended purpose.
    • Data processing is limited to what’s necessary for the purpose.

 

  • Accuracy is simply to ensure that inaccurate data won’t be processed. If it’s possible, it might be worth to consider implementing a mechanism which gives the users access to their information to control their data accuracy.

 

  • Storage limitation ensures that data will no longer be processed when it diverges from the legal basis and purpose for which the personal data was collected and “time limits should be established by the controller for erasure or for a periodic review”. At the end of processing (expiration of the purpose), the data should be deleted or anonymised. Because of that, the controller, besides determining the purpose of the processing, also has to specify the processing time.

 

  • Accountability — the controller is not only responsible for ensuring that processing personal data is carried out according to principles, but also to demonstrate their compliance in this area. The controller needs to implement a proper process for collecting evidence, i.e.: when the legal basis for data processing is consent, then the controller needs to implement a mechanism to document consent collection. Another example is collecting logs that allow for verification of who, when and on what basis has introduced, modified or deleted the data.

 

  • Integrity and confidentiality (security). The last principle is for sure not the easiest one since it’s very laconic. Why is that so, if we know how important security is? Well, because regarding security, there’s a constant fight against time and external threats. Art. 5 of GDPR says that data shall be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures” What are these measures? It could be pseudonymisation, encryption, or access control. Practical examples are as follows:
    • Encryption of data at rest.
    • Encryption of data in transmission.
    • Pseudonymisation applied whenever/as soon as possible.
    • Controlled access to data, limited to personally identifiable, authorised personnel.
    • Restricted access to sensitive information.
    • Data Processing Agreements with adequate security measures listed for the case of third party access.
    • Password policy in place.
    • If possible, implementation of other authentication requirements.
    • If possible, separation of sensitive and unprotected data.
    • Implementation of backup with scheduled frequency and regular testing.

Summary

Only compliance with all key principles will allow the data subject to rest assured. At the same time, security is the principle which binds them all together. Data processing transparency ensured by the controller will be no longer be applicable in the case of unauthorised access.

2988 HC Digital Transformation 476X381
Beata Winczaszek Quality Expert, Personal Data Protection

She has been working for Objectivity since 2018 – first as a Quality Expert and today as Quality Expert and Personal Data Protection Specialist. She is a great enthusiast of building GDPR awareness. After hours, fascinated with the history of Polish mountaineering in the Himalayas. 

See all Beata's posts

Related posts

You might be also interested in

Contact

Start your project with Objectivity

CTA Pattern - Contact - Middle