It stands to reason that in today’s digital economy it is necessary for businesses to collect and process consumers’ personal information in order to effect the sale of products and services.
However, along with the introduction of robust laws designed to protect the personal data we collect, comes an expectation for businesses to implement equally robust measures that protect the data entrusted to us.
Contrary to popular belief, data privacy and data protection are two entirely different areas of concern. And, having one doesn’t ensure the other!
Data privacy defines who has authorized access, while data protection focuses on protecting data assets from unauthorized use. It could be said that data privacy is more of a process or legal matter, while data protection is mostly a technical control. Clearly, one doesn’t ensure the other, and we need both to work together, in order to establish a proper control mechanism.
The important distinction people should know about data privacy and data protection is who controls which part. Data privacy controls are mostly given to users. Users can usually control which data is shared with whom. Data protection is mostly a company’s responsibility. Companies basically need to make sure that the level of privacy their users have set is implemented and data is protected. ~ Vikram Joshi, pulsd
The Data Pricvacy Group has been publishing articles on tghe subject of data privacy since 2016.
Although this article is by no means comprehensive, we are focusing on the subject of data protection and considering some of the ways in which personal data can be safeguarded against unauthorized access.
the three ‘states’ of stored data,
data integrity, and
the relevance of the IoT Trustworthiness model.
What is Personal Data?
Data protection regulations were around in many countries around the world long before the GDPR or the CCPA came into force. Therefore, it might be reasonable to think that businesses shouldn’t need reminding of the meaning of ‘Personal Information’. Unfortunately however, the high number of companies that remain non-compliant with national data protection laws indicate either a widespread ignorance of what personal data is – or, a head-in-the-sand attitude toward this most important – and legally binding – responsibility.
So, for the benefit of those who are as yet unfamiliar with the term, ‘personal data’ means any data that can be used to identify a natural (i.e. living) person.
Such data can include:
name, gender, national ID, location, date of birth, residential address, cultural or social characteristics;
physical, genetic, psychological, mental, medical, financial;
employment, salary, performance, benefits; and
race, ethnicity, religion, political opinions, and biometric data.
Privacy laws and regulations impose significant restrictions on the handling of personal data.
Data Privacy vs. Data Protection
Data protection focuses on the protecting an organization’s data assets. It’s about keeping threats out. It is the act of safeguarding data that has already been collected, whether it is personal information, payment details, or proprietary information.
…Data protection is the mechanism — that is, the tools and procedures — to enforce the policy and regulation, including the prevention of unauthorized access or misuse of the data that I agreed to share. ~ Mohamad Zahreddine, TrialAssure
The distinction between data privacy and data protection is really down to who a company plans to share our data with versus how they intend to protect our data from being accessed by anyone else. Now, these could mean the same thing, at the data access level, but in reality, protecting data from unauthorized access requires going beyond a basic Access Control List (ACL) and implementing strong defenses against all potential vulnerabilities of the underlying data systems.
The 3 ‘States’ of Stored Data
Depending on whether data is at rest (DAR), in use (DIU), or in motion (DIM), different data protection solutions are needed.
Data at rest is defined as data stored at various times during its lifecycle. Data in this state is is potentially at risk of being manipulated. Therefore, the confidentiality, integrity and accessibility of this data must be protected. Commonly, data encryption and replication techniques are used to ensure protection for data at rest.
Data in motion refers to data that is shared, or transmitted from one location to another. Local and wide area networks are among the most vulnerable points in a system. Data must be protected while it is motion. Transport Level Security (TLS) is probably the most common method used to protect data in motion. TLS is point-to-point, meaning the endpoints of the TLS channel must be trusted and intermediate links avoided.
Data in use refers to data that is currently being processed. When data is in use, if it is sent from data storage device to the processor unencrypted, it could be vulnerable to attacks.
The first logical step to data protection is to block all attempts of unauthorized access. This is normally achieved by deploying a secure authorization system to enforce access control.
A secure authorization system should be based on:
domain security requirements, and
These policies enforce the control of access to all data repositories for data at rest, on all communications channels for data in motion, and for all processing applications for data in use.
The access control system acts as a reference monitor that enforces security policy for access to data. All access routes pass through this reference monitor, which cannot be bypassed.
For example, in the case of data in motion, DDS achieves this through distributed connectivity libraries through which the data passes before it can be used by an application. Before the data can be protected, it must be categorized based on its sensitivity, such as public, restricted, confidential etc. The data should be identified by the sensitivity level defined within the policy.
The security policy defines the roles that can access each category of data, and also specifies the appropriate security controls needed to protect each category of data from unauthorized access.
Data integrity is all about ensuring the accuracy and validity of stored data throughout its entire lifecycle. This means safeguarding the data against unauthorized alteration or deletion.
There are certain aspects of data integrity which should be considered:
Accuracy of data: Business or operational decisions based on inaccurate data are likely to be flawed.
Protection against tampering: Data manipulation by human operators, or by systems that have been corrupted with unauthorized software can potentially disrupt operations.
Data errors: The unintentional introduction of errors can originate from human operators, faulty communication protocols, and incorrect configurations.
Data integrity can often be violated by malicious hackers, or by unintentionall corruption during transmission, communication or storage of the data. Ensuring data integrity is enforced via cryptographic controls for the detection of integrity violations. The actual control will depend on the lifecycle phase of the data.
Data Protection and IoT Trustworthiness
According to an extensive white paper by II Consortium, the Internet of Things (IoT) Trustworthiness framework embodies the viewpoint that IoT is more than just “IT for Things”. For an IoT system to operate in conformance with business and legal requirements, several characteristics of that system, namely security, safety, reliability, resilience and privacy, must remain compliant with these requirements, despite environmental disturbances, human errors, system faults, and attacks.
Data security (and [therefore] data protection) plays a central role in the enablement of IoT trustworthiness and its characteristics: privacy, reliability, resilience, and safety.
For assistance with your company’s Data Protection strategy and implementation, contact Peter Borner at The Data Privacy Group.
NOTE: This article is provided for information purposes only and does not constitute legal or professional advice. The Data Privacy Group recommends that businesses engage the services of an experience data privacy/data protection practitioner when preparing for compliance with data protection and privacy legislation.