Every organisation must implement a range of methods and procedures to maintain the data's confidentiality, integrity, and accessibility, based on the volume of personal data it processes. This process requires focus on three critical areas: data privacy, data security, and data protection. These terms are often mixed up, and some even suggest they have the same meaning and purpose, but they each play a different role when it comes to personal data management.

When you download a mobile application on your smartphone, you’re usually prompted to a privacy agreement you must consent to before the installation can proceed. The app may then request access to some information on your phone, such as your contacts.

Once you've given the app these permissions, it's the app developer’s responsibility to preserve and protect your data from a data breach. Therefore:

•It would be a violation of your right to data privacy if the app's developer sold your data without your permission,

•it would be a violation to the protection of your personal data if your data on the app was leaked, stolen, deleted or destroyed,

•and, if your data was leaked, stolen, deleted or destroyed, it may have been also a data security incident or breach. For example, your data was stolen due to an external attack by cybercriminals. This means the data security measures you had in place were not sufficient to protect the data.

Let's take a look at each of these three notions separately to gain a better understanding of them.

Data privacy is a legal matter about data access. Only those who are authorised by the data owner can have access and process it according to the Privacy Notice and/or Privacy Policy.

It aims to ensure that personal data is kept private and accessible only to those who are legally entitled to see it.

To have a better understanding, companies should consider the questions below to determine whether or not they are respecting their users' or customers' privacy:

A. How did we get the data? Did we do it in a legitimate manner, in accordance with data protection laws?

B. Did we purchase the data without the authorisation of the person whose information was being sold to us?

C. Did we limit the data collection purely to what Is needed to fulfil the purpose of the data processing activity?

Data Protection is not only a company’s responsibility it is also in many countries a law and legal requirement. Companies need to make sure that privacy preferences set by their users or customers are respected and that the data is sufficiently protected. It concerns the whole data lifecycle, from the moment a company collects the data until its deletion or destruction.

Data Protection management looks at how personal data is processed, for what purpose and where it is kept, and it encompasses the question "How can your data be protected?" by:

A. deciding that certain data is not needed to achieve a purpose within the company and should not be collected,

B. determining that only certain people need to access the data to deliver a process, and

C. deciding how the data needs to be protected, which then moves into the domain of data security.

Data protection strategies usually evolve around data availability and data management, and are typically designed and implemented by a Data Protection Officer (DPO) within a company.

Some of the steps taken by a DPO to protect data can be:

1. map the data and the operations of data processing,

2. identify and map risks,

3. create a set of policies to ensure that the data can be restored if its confidentiality, integrity, or accessibility is compromised, and

4. implement those policies.

Data security is the process of safeguarding digital data from unauthorised access, corruption, or theft at all stages of its lifespan, from the physical security of hardware and storage devices to administrative and access controls, as well as the security of software applications. It also comprises policies and procedures for the organisation.

This covers the implementation of firewalls, user authentication, network limits, and internal security processes to prevent unauthorised access. It also includes data security technologies like tokenization and encryption, preventing attackers from being able to read data in the event of a breach.

Data security is meant to safeguard data by employing a variety of approaches and procedures ensuring the data integrity, accuracy and accessibility is kept in place.

Data privacy, data protection and data security don't have the same meaning, rather they go hand in hand and businesses need to consider all three in order to protect their customer’s personal data.

Palqee's Privacy and Data Governance platform can help you to manage this. Our software solutions support you to safely process personal data and achieve your business goals. You can book a demo here.