Data protection and data privacy 101

Blogs and Articles

Data protection and data privacy—these phrases get thrown around a lot. Both are critical to business (and often go hand-in-hand) but can get mixed up. Here, we talk about the big differences, when each one is needed, and how to address the requirements your organization might have.

Tara Holt
Tara Holt
November 5, 20217 mins
Digital concept - security

Let's Start with Basic Definitions

Data Protection: the process of safeguarding important information from corruption, compromise, or loss. This process includes backup and recovery as well as controls around data security and data integrity.

Data Privacy (a.k.a. information privacy): the process of managing certain types of data such as Personal Identifiable Information (PII) and Protected Health Information (PHI) to ensure that it is not misused.

To simplify even more, while data protection provides tools and policies to safeguard data, data privacy restricts access to sensitive data.

Data Protection = Data Access Restriction

With COVID-19, companies were forced overnight to shift their focus on data protection to support remote workers. It's because of this that Gartner has named "Anywhere Operations" as a Top Technology trend with businesses taking a digital-first, remote-first approach. Of course, this means data of all types is at greater risk of cybersecurity attacks, including malware, ransomware, and phishing schemes. Attackers can sell or ransom your data, wreaking extreme havoc on your business.

Per IBM Security's 2021 Cost of a Data Breach report conducted by the Ponemon Institute, the global average cost of a data breach was $4.24 million. This was a 10% increase from 2020, the largest single year increase in seven years. With a per record cost of $180, customer PII was the most common type of record lost. With the average data breach taking upwards of 287 days to identify and contain, it's painfully obvious how critical the issue of data protection is for businesses today.

Cybersecurity experts agree that developing a data protection strategy to prevent attacks is imperative for businesses of all sizes. Here's what you'll need to do to get started:

  • Understand the data you have
  • Create a risk-based strategy to manage business operational risk, reputational risk, and legal and compliance risk
  • Take a holistic business approach, bringing together IT, legal, and security expertise
  • Foster a security-aware working culture
  • Develop strong information governance for both physical and digital data
  • Build up your defenses in depth
  • Factor remote workers into your strategy

Data Privacy: Defining Who Gets Access

One of the many reasons data needs to be protected is to protect individuals' privacy. 

Personal Identifiable Information, such as names, addresses, social security numbers, telephone numbers, and email addresses are all needed by businesses every day to service customers. However, the loss of PII can result in substantial harm to your customers, employees, and business.

To help protect this data, there are many laws and regulations around data privacy, focusing on either geography or industry-specific sectors. Here are a few examples:

Geography focus:

  • European General Data Protection Regulation (GDPR): ushered in a new era of data privacy, transforming the rules for using personal data and the fines for non-compliance (see Iron Mountain's GDPR Resource site for details)
  • California Privacy Rights Act of 2020 (CPRA): first US privacy law of a similar magnitude to GDPR

Industry-specific focus:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Family Educational Rights and Privacy Act (FERPA)

As companies continue to struggle during a global pandemic, more data privacy issues have come into play. To help guide COVID-19 company responses, 93% of security professionals said their organizations turned to the data privacy team. As a result of this challenge, privacy budgets doubled in 2020 to an average of $2.4 million. Here are some privacy benchmark recommendations from the above linked study to consider:

  • Ensure privacy principles continue to be respected
  • Use sensitive data to serve the public good
  • Make privacy skills and expertise a core competency
  • Be prepared for privacy to be a Board-level issue
  • Invest in privacy to enhance customer trust and realize significant business value

It's been proven that organizations with more mature privacy practices are getting higher business benefits than average and are much better equipped to handle new and evolving privacy regulations around the world.

To fully safeguard customer and employee information simultaneously, companies need to take both data protection and data privacy seriously. Data breaches are no longer isolated events, and when data is stolen or leaked, there can be serious repercussions.

The COVID-19 pandemic has ratcheted up the need for greater efforts around data protection and privacy. As organizations grapple with new ways of doing business, they will likely continue to support remote and digital-first workplaces for the foreseeable future.