Open in app

Sign in

Write

Sign in

Concepts of Data Privacy and Sensitivity

Mesut Oezdil
4 min readSep 4, 2023

--

Notions on Data Sensitivity and Privacy

The importance of data should be understood by thinking about what would happen if its security — confidentiality, integrity, and availability — was compromised. It’s not just about keeping information secret; it’s also about how important that information is for running the business smoothly. For example, public information might not need to be kept secret, but if it becomes unavailable, it could still cause big problems.

Data needs to be protected in a system that ensures it remains confidential, accurate, and available when needed. In simple terms, this means a data management system that allows only trusted users to view or change data or blocks access through methods like encryption. Also, it’s important to think about privacy when creating data management rules.

Distinguishing Between Security and Privacy

Keeping data safe is important, but so is privacy. Privacy becomes essential when personal information is collected and used. Personal information means any detail that identifies a person, also called the data subject. Unlike security, which focuses on keeping data confidential, accurate, and available, privacy is about setting rules to identify personal data, make sure it’s handled legally, limit access to authorized people, and allow individuals to see or delete their information.

Managing Data Through Its Lifecycle

A data lifecycle model shows different stages that help create security and privacy rules. Most frameworks include these main steps:

  • Creation/Acquisition: Data is created by staff or systems, or it comes from a client or supplier. This is when it’s categorized and tagged.
  • Dissemination/Application: Data is shared as needed for legal purposes with trusted users and external partners.
  • Storage: Sometimes, data needs to be kept even after its active use due to legal requirements.
  • Elimination: When data is no longer needed, it must be properly deleted from storage.

Managing data is a huge task for any organization. Most methods focus on structured data (information that’s organized and easy to control). Dealing with unstructured data like emails, messages, or phone calls is even harder, though there is software designed to help.

Roles and Accountabilities in Data Management

A data governance plan explains the security measures to be used at each stage of the data lifecycle. Key roles in managing and regulating data through its lifecycle include:

  • Information Custodian: A senior role responsible for keeping the data’s confidentiality, integrity, and availability (CIA). The custodian labels the data and ensures it is well protected.
  • Data Overseer: Focuses on data quality, including proper labelling and making sure it follows legal guidelines.
  • System Manager: Handles the practical side of the system that stores the data, such as setting access limits, encryption, and backups.
  • Privacy Manager: Manages personal data and ensures compliance with legal and regulatory requirements.

In the area of laws and rules for protecting privacy, these two roles are important:

  • Data Director: Decides why and how data is collected and stored, ensuring legal compliance. The director is ultimately responsible for any privacy issues.
  • Data Handler: Works under the data director to help with data collection and storage. The handler follows the director’s instructions.

Categories of Information

Information Classification is about tagging different types of data to make managing it easier throughout its life. These tags are like decision tools for labelling each set of data.

Tagging frameworks often focus on the level of secrecy needed:

  • Open (Non-Classified): No limits on who can access this data. Sharing it poses no threat, but changing it or making it unavailable could cause problems.
  • Restricted (Classified): Only for certain people within the organization or specific third parties under a confidentiality agreement.
  • Vital (Ultra-Secret): Very important data where any risk of exposure is not acceptable. Access is strictly controlled.

Another way to classify data is by its type:

  • Company-Owned Info: This includes the organization’s intellectual assets related to products or services. This kind of information is valuable to competitors and even foreign governments in areas like defence or energy. Unauthorized copying is also a concern.
  • Individual Data: Information about people’s identities.
  • High-Risk: Often related to personal data. Making this information public could cause harm or lead to biased decisions. Under the EU’s GDPR, high-risk data includes things like religious beliefs and political opinions.

Conclusion

Managing data effectively is complicated but very important. It means balancing security and privacy at every stage of data’s life. Specialized roles within the organization help keep this balance, and classification systems guide how data should be handled. As data becomes more central to how businesses operate and are managed, handling it ethically and legally becomes even more important.

As a DevSecOps enthusiast, I hope you enjoy this article. In this column called “Mindful Monday Musings” here every Monday, I will share articles on Dev(Sec)Ops and Cloud. You can support M3 (aka Mindful Monday Musings) by following me and sharing your opinions. Please send me your contributions, criticisms, and comments, it would make me glad.

Security
Information
Data Security
Data Structures

--

--

Mesut Oezdil
Mesut Oezdil

Written by Mesut Oezdil

541 Followers
76 Following

I'm on the Substack now, not on Medium. AR-KUBE: Where AI meets DevSecOps! Exploring and sharing trends in AI-driven, security-focused DevOps.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams