If you ask most tech workers the difference between security and privacy, they probably won’t be able to tell you the difference — unless their main job is working on one of those teams. Given how much of our life is now online, this is a problem that can lead to corporate liability and multimillion-dollar fines, especially from European regulators. With this increased focus, what’s the difference between security and privacy, and how should employees think about these issues? 

To start, let’s look at Twitter’s announcement this summer that a hacker had been in its system for more than six months, and was offering to sell user data from 5.4 million accounts. (In 2020 a Florida teen was also charged with taking over accounts). Hackers breaching Twitter’s system pose a security problem. But since these hackers may have had access to millions or billions of records, that’s also a privacy problem.  

This summer, Meta was fined $403 million by Ireland’s GDPR (General Data Protection Regulation) authority. Last year, European regulators fined Amazon $888 million. This is a big problem for major platforms, but it can hit almost any company today: California recently fined Sepora $1.2 million for violating the CCPA (California Consumer Privacy Act). 

If we want to reduce the impact of fines and breaches, we need software companies to focus on privacy as much as security, and make sure their employees know the difference. If you go to the doctor, your doctor knows exactly what HIPAA regulations allow them to disclose. Any trucker on the road knows exactly how many hours they can drive based on DoT Hours of Service regulations. But if you ask tech workers what they can and can’t do under CCPA, most may not even recognize the acronym. 

Privacy is about creating trust in your organization. It’s about how you handle personal information, and making sure that you’re treating this data responsibly and in line with what consumers would expect you to do. 

TL;DR on GDPR

GDPR guidelines call for data to be stored in a manner that ensures users can request that their information be corrected, deleted as part of the “right to be forgotten,” or accessed so the user knows what data the company has collected on the user, along with various other privacy rights requests. But when data is stored in multiple disconnected databases, it's much more challenging to stay compliant, as requests require multiple steps and coordination across databases. 

Rules also focus on where data is stored, aiming to regulate the flow of data between the U.S. and European countries. Facebook is fighting this policy, but swears "Meta is absolutely not threatening to leave Europe." To prepare for these new regulations, companies need to ensure they have a comprehensive record of data processing activities and a data inventory to demonstrate compliance with regulators. 

Ten pillars for privacy awareness

Conducting ongoing training at your company is very important for all employees accessing personal identifiable information (PII). Given the pace of announcements about new fines and updated policies, you may need to update your staff frequently. 

At Fivetran, I conduct training across the company, at least every 12 months, but additional reinforcement for legal requirements is a year-round job. Awareness includes teaching the foundational aspects of privacy, rather than a long list of legal requirements, and explaining how those principles apply to each team and team member. I have a checklist of focus areas. Here’s what people need to know.

                      With the importance of data to modern businesses, ensuring that employees are familiar with privacy law will put your company in a much better position in case of an incident. Thinking about how data is captured and stored will help minimize risks. Privacy is your company’s promise to consumers that you’re a trustworthy partner, and have their interests in mind. To build awareness around privacy, use the checklist above to ensure data processing teams know their data privacy responsibilities just as well as a doctor knows HIPAA requirements. 

                      Seth Batey is senior privacy counsel with Fivetran.



                      Welcome to the VentureBeat community!

                      Our guest posting program is where technical experts share insights and provide neutral, non-vested deep dives on AI, data infrastructure, cybersecurity and other cutting-edge technologies shaping the future of enterprise.

                      Read more from our guest post program — and check out our guidelines if you’re interested in contributing an article of your own!