Technical data security and protection are disciplines that can be achieved without a data privacy program, however, a personal data protection program encompasses extended data security including human facing and technical data security and protection.
In the current environment of data theft and data privacy incidents, I believe it is essential for data privacy people to extend their knowledge of data security and protection.
It is in the portfolio of the data privacy team to ensure that the security team are covering the governance aspects of security, whether it be complying with CIS / SANS and NIST frameworks enabling the identification of highest risk areas to focus spending and resources on, or building up resilient digital cyber security response plans and fully testing these.
The extended data privacy risks beyond cyber security are managed by the privacy team working with the marketing, human resources and IT / cyber security teams. These are governance risks, risks of non-compliance (reputation and financial), human error risks and then obviously external breaches and data theft, ransomware attacks and the like.
The overlap between cyber security and data privacy is large, cyber security incident response encompasses many types of cyber-attack that can compromise data privacy, the types of incident one requires an incident response plan for are:
- Denial of service attack.
- Malware outbreak.
- Phishing attacks.
- Privilege escalation.
- Ransomware attacks.
- Unauthorised Root access.
- Virus outbreaks.
- Data loss incidents.
- Data theft incidents.
The global data privacy regulations are essentially a good practices guide for organisations to ensure their ability to be trustworthy in their management of the personal information of all stakeholders, this includes building the capability to strongly manage cyber security to protect the private, personal and other information gathered and held by an organisation.