Nicole Cowell, senior legal director and data protection officer, Kohler Co.
In today’s world, we are barraged with headlines about covert online monitoring, data breaches and identity theft. It has become so common to hear about the latest company that has been hacked or investigated by the government for selling people’s online data. We want more security. But does more security solve all these problems equally? Are security and privacy issues covered under the same umbrella?
The answer is no. Fundamentally, it is important to understand that data security and data privacy are not the same. Privacy relies on security to be successful; conversely, security looks to privacy to understand what to protect.
To illustrate: Your home may have a safety system that includes cameras, locks and codes that alert you to any attempted unauthorized entry. That at-home system works much the way data security does. Data security (your alarm system) works to keep bad actors from accessing your personal data (the pocket watch handed down from your grandfather).
Data privacy is like the treasured items inside your home — that pocket watch from Grandpa or a bracelet from your mother. You don’t share those treasures with just anyone. If you do lend them out, you want to know they are handled with care. Those items are like your data. You do not want everyone to know private details like how much you weigh, the medications you take or your bank account number. Your employees, contractors and customers feel the same about their social security numbers, financial information and other data. Security works to keep that data private.
Once you understand the difference between security and privacy, you can see why it is important for a company to focus on both. Many companies have IT security programs that protect company information, which includes the data a company collects from individuals. Privacy programs, on the other hand, are not so common. Privacy programs focus on how companies use that individual data.
This, however, creates a gap. While IT security prioritizes protection of data, without a privacy program there is no focus on how that data is used by the company. For example, an IT security program enforces everyone encrypting or password-protecting sensitive data, like a list of employee salaries and performance ratings. Without a privacy program, though, that list of all employees’ data may be sent to all company managers.
A key privacy principle is data minimization, meaning “share on a need-to-know basis.” Privacy works to ensure that such sensitive employee data is only shared with those who need to know it, like the employee’s leadership chain.
Why is this gap important? Employees, contractors and customers see the same headlines we do. They are realizing that the way companies now do business is by using their data. Forget bitcoin; personal data is the new digital currency. People understand that giving some of their data to companies can facilitate better user experiences, from website curated content to vendor purchase orders to helping employees plan for retirement.
People want assurance that if they share their data, they can trust the company to protect it, use it transparently and respectfully and not sell it to third parties without first giving them a chance to say “no, thanks.” Using the example above, if an employee learns the company has shared their salary and performance data with all managers of the company, that employee may be upset and feel this is intrusive. What if that employee is friends with or related to managers in other groups? Now that personal contact would know the employee’s value to the company without a legitimate need to.
There are also many privacy laws both globally and domestically, from U.S. federal laws like CAN-SPAM and COPPA to new state privacy laws like those recently enacted in California, Virginia and Colorado. Data privacy professionals can help navigate this legal landscape while also providing guidance on how to meet the privacy expectations of individuals.
For instance, where a company sells products in multiple states or countries, privacy professionals can help identify people’s privacy expectations and rights in each geography, from maintaining warranty data to outreach for future service or marketing opportunities. Privacy laws reach across boundaries and state lines. It is important to understand that privacy requirements are not limited to the states in which the company operates. Where the company sells or markets, the requirements there typically also apply to the company.
Privacy competence is no longer nice to have; it is a ticket to entry in the global market.
Today, you need both privacy and security. One without the other is like a bike with one flat tire — it might look whole, but you would be missing a critical part of the overall mechanism.
Nicole Cowell is an International Association of Privacy Professionals certified practitioner and senior legal director and data protection officer for Kohler Co. In partnership with IT Security, Nicole built Kohler Co.’s global Data Privacy Program.
