Privacy vs Security — GDPR, CCPA & Beyond

Ben Pournader
3 min readMar 1, 2023


Privacy vs Security

Privacy relates to the rights with respect to personal information. Privacy becomes very important when it comes to processing personal data. We need to make sure that we handle those type of data ethically. In Personal Identifiable Information (PII) context, Security refers to how the personal information is protected, and Privacy is about how we treat those data in an ethical manner.

We can have security without privacy, but we can’t have privacy without security. In practice, Privacy is mostly about the laws and regulations requiring companies to protect personal data, and Security is the technical methods that we use to protect such data.

Privacy Compliance

Privacy compliance is the line between the legal and the illegal. Complying with privacy laws and regulations helps us to protect our customers in different countries or states by ensuring their data gets handled appropriately. Companies not in compliance with the GDPR and CCPA may face heavy fines and may end up destroying their brand reputation.

Privacy in Products

GDPR, CCPA and other privacy rules and regulations expect us that all our products meet all (or some) of the following privacy expectations in order to be compliant with them. Each expectation reflects an aspect of privacy that products must meet, as a baseline, to be ready for launch.

  1. Establishing the Purpose: We must define a purpose (a clear reason) for processing data. We must tell people/customers the purpose before we collect, use, share or store their data and our data practices must be justified based on the purpose. There can be multiple purposes for a single type of data or feature.
  2. Purpose Limitation: Process data just for a limited, clearly stated purpose that provides value to people/customers.
  3. Data Minimization: Collect and create the minimum amount of data required to support clearly stated purposes.
  4. Data Retention: Store and keep the data only if it is required to support clearly stated purposes.
  5. Data Misuse: Protect data from loss, abuse, and unauthorized access.
  6. Transparency & Control: Communicate product behavior and data practices clearly, proactively, and honestly. Whenever possible, give people/customers control over their data.
  7. Data Access & Management: Provide people the ability to access and manage the data that we have collected or created about them when possible.
  8. Fairness: Build products that identify and mitigate risk for vulnerable populations and minorities, and ensure value is created for them.
  9. Accountability: Maintain internal process and implement technical safeguards around products, and practices.

Data that you May Handle

A. Personally Identifiable Information (PII)

PII is a kind of information that directly identifies an individual (full name, address, social security number or other identifying number or code, like phone number, email address and so on) or can be used to identify specific individuals in conjunction with other data elements.

B. Sensitive Personal Data (SPD)

Sensitive data, or special category data, according to GDPR is any data that reveals a subject’s information. Sensitive data examples are Racial or ethnic origin, political beliefs and religious beliefs.

Controller vs Processor

Data controller is an entity (person, company, organization) which determines the why and the how for processing personal data. In another word, data controller is responsible for determining the purposes and means of the processing of personal data based on the data protection principles (mentioned above in Privacy in Products section above)

Data processor is another entity that performs the data processing on the controller’s behalf. Processing is the operations performed on personal data (such as data collection, data structuring, data storage and retention, data usage and data disclosure).

As an example, if your company has a contract with another company for payroll processing, in this case, the payroll company provides system to store and process employees’ information, so it is the data processor, and your company is the data controller.

Data Protection by Design and by Default

Data protection by design and by default means you have to integrate data protection into the business practices, from the design stage all the way to the end of its lifecycle which will be the data disposal. GDPR requires controllers to implement appropriate technical and organizational measures to 1. implement the data protection principles (mentioned above in Privacy in Products section above) and 2. Ensure that only the minimum quantity of data is processed for each purpose.



Ben Pournader

Information Security Expert, Cyber Security Engineer, Blogger, Mentor, PCI SME, CISM, CGEIT, CISA, CRISC, RHCSA, MCSE, CCNA, MBA, PMP, CLSSGB