What Should a Security Manager Know About US and UK Privacy Laws?

George Bernard Shaw once said that the U.K. and U.S. were “two nations divided by a common language.” You can say a similar thing about security managers.  Security managers in both countries have data privacy as a common theme in their roles, but it is the nuances in the application that may divide them.

Data privacy has become increasingly added to the to-do job list of a security manager. This is due to a number of factors, including the raised profile of data privacy in general thanks to a number of high-profile incidents. The Snowden revelations about state surveillance in 2013 started the ball rolling, and the never-ending data breaches that seem to be, at least, a weekly occurrence have continued it. Where once there was data security, now there is the added goal of ensuring the privacy of these data.

It needs to be noted that data security and data privacy are not the same thing, although at times they are symbiotic. Securing information can help to augment the privacy of an individual’s personally identifiable information (PII in the U.S.) or personal data (in the U.K.).

Let’s start with what data privacy is.

What is Data Privacy?

First and foremost, privacy is not about keeping data secret. This is a misconception that has blighted the application of data privacy. It’s more accurate to describe data privacy as having control over the use of data, with the control aspect being delegated to the individual but augmented by the underlying protection within the system.

Control is the central tenet of privacy, but to assure control you need to create a platform based on trust. Trust is something that has been at the forefront of privacy policy and implementation since Ann Cavoukian, the ex-Privacy Commissioner (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Susan Morrow. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/Se3xy2iHvPc/