Blog - Jun 2019, London, UK

Data protection v Data privacy: regardless of sector every business is in the data business

Joe Collinwood, CEO at CySure explains the difference between data protection and data privacy, which organisations of all sizes and sectors can no longer afford to ignore.



Since GDPR came into force companies are still getting to grips with data processes and policies.

The EU General Data Protection Regulation (GDPR) came into force on 25 May 2018 with great fanfare, and rightly so. It is the most significant change to data protection and data privacy legislation in Europe for over two decades and puts individuals back in the driving seat of how their data is used. However, almost a year on there continues to be a lot of confusion within the business community on the distinction between data protection and data privacy.

Data Protection vs Data Privacy
Data protection refers to the technical controls on protecting assets from unauthorised use i.e. in effect the tools and procedures to enforce the policy and regulation. Data privacy is the legal and operational measures that govern the use of data, ensuring only authorised users gain access to personal data. GDPR makes it the responsibility of every organisation to implement the appropriate technical and organisational measures to ensure a level of security appropriate to its risk. A common mistake is that companies ignore what the ICO refers to as the “7th Principle”. Which is that a company already compliant with the Data Protection Act and already has technical controls in place to properly secure personally identifiable information, those controls must go beyond the firewall and anti-malware that most companies think are sufficient.

In the event of a complaint to the ICO or a report of a data breach, a data controller or processor will need to demonstrate that they ensured appropriate security was in place. That extends to suppliers and contractors to your business. If an organisation isn’t compliant with GDPR it is accepting a significant risk to its business. The inability to demonstrate proportionate steps to comply with GDPR is likely to attract significant scrutiny from the ICO and a more robust fine. Not to mention the reputational damage that accompanies a breach in data.

Commercial advantages of safeguarding data
Being GDPR compliant is not a one-time activity, it is a cultural shift in how organisations protect personal data and it should be baked into policies, processes and procedures. By taking a proactive stance towards data protection and data privacy, organisations can take control of their data and engage with customers and prospects on a deeper and more personalised level. By developing a reputation for safeguarding sensitive information and providing transparency to customers, businesses can improve brand loyalty whilst also gaining new customers. Business growth is dependent on customer trust. Savvy organizations that can demonstrate a trusted track record and commitment to protecting customer information can maximise on the opportunity to differentiate themselves from the pack by making data protection and privacy a priority.