Navigating the Tightrope: Balancing Security and Privacy Conflicts
In today's digital landscape, businesses face an ongoing struggle to strike the right balance between security and privacy. While robust security measures are essential to protect sensitive data and assets, maintaining customers’ and employees’ privacy is equally important to establish trust and comply with regulations. Privacy by Design (PbD) incorporates this as a principle (more on that in a future article), stating that it should not be a “zero sum” game; privacy and security should work together and not be in competition of one or the other.
There are a few instances where this becomes a difficult balance to strike. It’s easy to claim that the two work together, but complexities enter into the fray where different objectives exist. Some of the most common challenges we see are detailed below.
User experience and personalization
Data collection in efforts to tailor and personalize service delivery is something that we’re all used to, as the business and as the consumer. More data can mean better tailored offerings and allow for great improvements to the product. That said, collecting too much information can invoke the “creepy factor” and get a little too personal, resulting in complaints to the company, or worse, a regulatory body.
Often the mistake is made to oversimplify the situation, simply following a “more data needs more security” approach. The fact is, you’re still collecting data that could be deeply personal, and while having higher security on sensitive data is a good practice, not having the sensitive data in the first place could reduce your risk (and your creepiness).
Carefully considered anonymization that doesn’t put the end user at risk can result in fewer personal data points collected, simultaneously lowering your risk, as well as the need for costly security resourcing. In short, be sure you’ve explored all options on both sides!
Encryption is double-edged
Encryption is often touted as the “silver bullet” that solves all privacy and security issues, however, it can also cause problems in both avenues. Yes, encryption safeguards sensitive data from unauthorized access, but it can severely hinder security practices such as monitoring for insider threats in a business.
Striking a balance between your internal security and privacy requires careful consideration, and teams implementing security solutions should most certainly have the privacy team represented at the table, as more and more legislations are enforcing employee privacy in the same manner as they would your customer information.
“By Default” can be harmful
Security or privacy “by default” is something we’re seeing coming in as best practice, and in some cases mandated by legislation. It refers to having the most secure or private settings enabled by default, after which a user may then dial down the settings of their own accord if they so wish.
This approach needs to be very carefully considered as to what is reasonable, as several technologies, at their most secure, can break the usability of a product. Similarly, having the most private settings by default can hamper your ability to deliver a service to a named individual. Because of this, careful analysis and review of your features needs to take place to ensure that the defaults you are enabling are reasonable and should be included in the first place.
How to toe the line
The vital keys to resolving these conflicts is open communication and an involvement of both privacy and security representatives when considering your business practices. These challenges are what has resulted in many jurisdictions stating that security officers cannot be privacy officers due to the inherent conflict of interest.
A highly valuable practice is getting a team in that speaks both languages, moderators if you will, to help guide you along the journey and see your challenges from an outside lens. Bamboo Data Consulting has loads of experience in these challenges and partner with your teams to ensure you’re balancing these challenges in a responsible manner. If you find this is an area you’re looking to improve in, reach out to us for a consultation and let’s see how we can assist!