Think about these two phrases:
- You can have information security without data privacy.
- You can’t find data privacy without security.
Stakeholders in most Nigerian companies and institutions often confuse data privacy for information security and vice versa.
It shows two things. One, that stakeholders in organisations don’t understand the intricacies of data privacy and don’t understand the difference between information security and information privacy. They often think that because they have secured their information assets that their organisation automatically has a technical information privacy framework.
Second, failure to juxtapose these two often sends these companies on aimless information security trajectories while abandoning data privacy. Security within a company usually focuses on the three tenets of information security which are confidentiality, integrity and availability without paying attention to data privacy regulation principles. Having these elements embedded in a company’s business operations doesn’t automatically mean the company has privacy structures in place. That’s why a company can have information security without data privacy structures.
On the other hand, you can’t have data privacy without security. One of the essential requirements in data privacy schemas is security. As part of the organisational and technical measures companies must apply in data protection, security function becomes paramount. It also adds credence to the principle of accountability. I don’t know a company that can boast of a comprehensive data protection framework without giving consideration to security.
Also, security in data privacy means a vast array of things. A plethora of components makes up any company’s privacy components. I have covered data accuracy, data minimisation, and data privacy-by-design in this space, which are some examples of these components.
If you’re a stakeholder in a company, you want to ensure that your company’s information security aligns with the data privacy framework. In one scenario, a technological information officer claimed that the IT policy in their company couldn’t merge with data protection initiatives. She fails to realise that email passwords, access cards, encrypted laptops etc. are requirements or necessities in a data protection regulation.
Defining terms might help simplify complexities within the data protection regulation. If there are existing difficulties in understanding how these terms work or correlate with current business functions, the given business should seek help.
In some cases, most companies have the wrong ideology about the definitions embedded in data privacy regulations. I’ve seen stakeholders argue that the principle is just a law and as such, rollout all sort of policies. These types of stakeholders forget that definitions in data protection regulation must speak practically. It’s a law of business actions.
The regulation requires tools and technology, it requires people and processes, and it requires an in-depth knowledge of terms and how they correlate with existing business functions.
Let’s explain further with another scenario. A data privacy professional asked a principal of one Abuja based private college about their privacy notice. He wanted some useful clarification about some grandiose claims on the college’s website. The principal couldn’t show the kind of security or doesn’t even know who has access to what, but claim on their website that “they care about information security and data privacy.”
When the data privacy professional digs deeper, he finds out that staff within the college thought to have a list of data privacy policies makes them compliant with the Nigerian Data Protection Regulation (NDPR). To add fuel to the burning ignorance, the principal adds that they are just an educational outfit, why should the government worry about how they manage data. The principal’s thought begs the following questions: how much should a stakeholder know and what should they be doing to protect data?
In summary, stakeholders must make extra efforts to understand various data privacy terms and their practical implications. More importantly, as a stakeholder, they should be able to tell the existing differences within the regulation. The privacy notice shouldn’t be confused for privacy policies, nor data privacy impact assessment mistaken for privacy impact assessment. Company stakeholders should seek to learn more about data privacy and encourage their staffs to do the same.