Privacy, Protection and Security

By definition, the GDPR is focused on the protection of data. But the term “privacy” gets mentioned a lot, and so does anonymity, so are these the same thing? And what about “security”? Which term should we use for what?

Let’s start with Privacy. Traditionally, the concept of privacy is all about secrecy. I have a password I want to keep private in that it is only known to me. But for data, privacy is often more about control of access and usage rather than complete secrecy, since we accept shades of grey of how private anything can truly be. Taking an example such as encrypted communications in WhatsApp, we assume privacy of the communication between two people. We know WhatsApp are responsible for the message delivery and trust them to provide this private channel. Privacy is relative and some would argue one form of communication is private whilst others would argue it is not private enough. Privacy is ultimately about maintaining secrecy by yourself or with someone you trust.

Anonymity is quite different. This is all about stripping away your identity such that privacy isn’t as important. For example, you could stand in the street and shout out your password as long as no-one knows who you are. You’ve no privacy but your anonymity saves the day. In environments where privacy is hard to achieve, e.g. with ISPs monitoring your web browsing, anonymization allows your data to travel in the clear, with no concern for lack of privacy.

Security means a lot of things, but the most useful description is it being a combination of Confidentiality, Integrity and Availability. Crucially, these are never weighted equally and each environment will require its own blend of security. For example, Press Releases require protection of their confidentiality until their release at which point they become public and any confidentiality concerns disappear. At this point the integrity of the detail of the Press Release and its availability become paramount. Privacy is a key component of security. If data is not kept private, there is no confidentiality, and in turn it is not secure. But not all security is about data. A network could itself be secure, even if two endpoints that communicate over it are not. And again, this is all about shades of grey. Secure to me might be very different to secure to you.

Lastly, we have Protection which is all about maintaining the level of security of something. We can protect data by maintaining its confidentiality (including privacy), integrity and availability. Accidentally email a confidential file to a competitor (C), corrupt it (I) or lose it on a train (A) and you’ve not properly protected its security.

When it comes to GDPR you’ll see many people conflate these terms. Even within official GDPR texts there is some questionable usage. Data Protection versus Data Privacy is a common misunderstanding. My view, who cares? We all know what people mean and we’re all trying to achieve the same goal of protecting personal data. Do your best to use the correct terminology in your work and stay safe out there, and secure, and private………

Carl Gottlieb

Carl Gottlieb is the privacy lead and Data Protection Officer for a select group of leading tech companies. Carl’s consultancy company Cognition provides a range of privacy and security services including virtual DPO and virtual CISO.