Data protection is the process of safeguarding important data from corruption, compromise or loss and providing the capability to restore the data to a functional state should something happen to render the data inaccessible or unusable.
Data protection assures that data is not corrupted, is accessible for authorized purposes only, and is in compliance with applicable legal or regulatory requirements. Protected data should be available when needed and usable for its intended purpose.
The scope of data protection, however, goes beyond the notion of data availability and usability to cover areas such as data immutability, preservation, and deletion/destruction.
Roughly speaking, data protection spans three broad categories, namely, traditional data protection (such as backup and restore copies), data security, and data privacy as shown in the Figure below. The processes and technologies used to protect and secure data can be considered as data protection mechanisms and business practices to achieve the overall goal of continual availability, and immutability, of critical business data.
Figure: The Three Categories of Data Protection
Principle of data protection
The principle of data protection is to deploy methodologies and technologies to protect and make data available under all circumstances.
Storage technologies can be used to protect data by using disk, tape or cloud backup to safely store copies of the data that can be used in the event of data loss or interruption. Additional software tools (e.g. cloning, mirroring, replication, snapshots, changed block tracking, etc.,) are providing another layer of data protection in addition to traditional backup. Technology advancements mean that it is now common practice to provide continuous data protection which backs up the data whenever a change is made so that recovery can be near-instantaneous.
Cloud backup is also becoming more prevalent as organizations frequently move their backup data to public clouds or clouds maintained by third-party service vendors. These backups can replace on-site disk and tape libraries, or they can serve as additional protected copies of data to provide a disaster recovery facility.
Geographical differences and variations in terms
The data storage industry looks at data protection mainly from a technology viewpoint in what is needed to keep data secure and available.
Data protection is defined by the European Union (EU) in a very different way and is often used where other regions may use the term data privacy.
It is important to understand the meaning applied to these terms to avoid confusion:
- Data protection in the EU is much more related to the protection of personal data and the rights of EU citizens
- Data protection is about protecting any data relating to an identified or identifiable natural (living) person (“data subject”), including names, dates of birth, photographs, video footage, email addresses and telephone numbers
- Data protection has precise aims to ensure the fair processing (collection, use, storage) of personal data by both the public and private sectors
Learn more about Data Protection in our Educational Library
Data privacy, sometimes also referred to as information privacy, is an area of data protection that concerns the proper handling of sensitive data including, notably, personal data[1] but also other confidential data, such as certain financial data and intellectual property data, to meet regulatory requirements as well as protecting the confidentiality and immutability of the data.
Roughly speaking, data protection spans three broad categories, namely, traditional data protection (such as backup and restore copies), data security, and data privacy as shown in the Figure below. Ensuring the privacy of sensitive and personal data can be considered an outcome of best practice in data protection and security with the overall goal of achieving the continual availability and immutability of critical business data.
Please note that the term data privacy contains what the European Union (EU) refers to as “data protection.”
Figure: The Three Categories of Data Protection
Security becomes an important element in protecting the data from external and internal threats but also when determining what digitally stored data can be shared and with whom. In a practical sense, data privacy deals with aspects of the control process around sharing data with third parties, how and where that data is stored, and the specific regulations that apply to those processes.
Almost all countries in the world have introduced some form of legislation concerning data privacy in response to the needs of a particular industry or section of the population.
Data Sovereignty
Data sovereignty refers to digital data that is subject to the laws of the country in which it is located.
The increasing adoption of cloud data services and a perceived lack of security has led many countries to introduce new legislation that requires data to be kept within the country in which the customer resides.
Current concerns surrounding data sovereignty are related to governments trying to prevent data from being stored outside the geographic boundaries of the originating country. Ensuring that data exists only in the host country can be complex and often relies on the detail provided in the Service Level Agreement with the Cloud Service Provider.
Data Privacy - Geographical variations in terms
In the European Union, privacy is recognised as an absolute fundamental right and in some parts of the world privacy has often been regarded as an element of liberty, the right to be free from intrusions by the state. In most geographies, privacy is a legal concept and not a technology, and so it is the term data protection that deals with the technical framework of keeping the data secure and available.
Why is Data Privacy important?
The answer to this question comes down to business imperatives:
- Business Asset Management: Data is perhaps the most important asset a business owns. We live in a data economy where companies find enormous value in collecting, sharing and using data about customers or users, especially from social media. Transparency in how businesses request consent to keep personal data, abide by their privacy policies, and manage the data that they’ve collected, is vital to building trust with customers who naturally expect privacy as a human right.
- Regulatory Compliance: Managing data to ensure regulatory compliance is arguably even more important. A business may have to meet legal responsibilities about how they collect, store, and process personal data, and non-compliance could lead to a huge fine. If the business becomes the victim to a hack or ransomware, the consequences in terms of lost revenue and lost customer trust could be even worse.
Data Privacy is not Data Security
Businesses are sometimes confused by the terms and mistakenly believe that keeping personal and sensitive data secure from hackers means that they are automatically compliant with data privacy regulations. This is not the case. Data security protects data from compromise by external attackers and malicious insiders whereas data privacy governs how the data is collected, shared and used.
Differing legal definitions of Data Privacy
If there is agreement on the importance of data privacy to a business, then the legal definition can be extremely complex.
None of the most prevalent regulations (GDPR, CCPA, HIPAA etc) define precisely what is meant by data privacy and it is left to businesses to determine what they consider best practice in their own industry. The legislation often refers to what is considered ‘reasonable’ which may differ between laws, along with the respective fines.
In practice, this means that companies who work with sensitive and personal data should consider exceeding the legal parameters to ensure that their data practices are well above those outlined in the legislation.
[1] Personal Data (known as Personally Identifiable Information or PII) means any information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.).
Learn more about Data Privacy in our Educational Library