• United States




The quickest way to annoy a privacy pro

Jun 27, 20163 mins
IT JobsIT SkillsSecurity

The difference between privacy and security and how both fields can work together.

privacy info protect ts
Credit: Thinkstock

For my friends in the information security field, I have some advice: don’t ever suggest to a privacy professional that a good security program means privacy has been solved. Nothing makes privacy professionals more frustrated than the suggestion that information security solves privacy. And please, please don’t tell a privacy pro that there are no privacy issues because data is encrypted.

We all know that privacy and security are different concepts. They are linked, to be sure, but the boundaries of the two fields blur frequently and confusion about the distinctions between privacy and security are rampant. So what are the differences between information privacy and information security and why do we continually muddle the two concepts?

I am not an information security pro, but I do understand that information security relates to the confidentiality, integrity and access to data. Information security is born from the technological and procedural controls that we place around our data to achieve these goals. Infosec professionals have often emerged from backgrounds in IT and computer science.

In contrast, information privacy is related to how we manage data. Privacy describes the way in which we gather, store, use, share, and delete data. The field of privacy helps us to understand what is permissible and what is inappropriate with regards to our usage of data. Privacy pros often emerge from the fields of law, compliance and policy.

There are dozens of metaphors and analogies that have been used to describe the distinction between privacy and security. Over the years, I have found that perhaps the most relevant explanation is that even with perfect security you can still violate privacy – you can have effective security with zero privacy, but you cannot have great privacy without great security. In other words, security is a critical component to good privacy but does not resolve some of the other issues raised within the field of privacy. It is very true that you can have perfect security and still be incredibly stupid with regards to privacy.

This distinction between security and privacy raises one of the more challenging issues we see in the information economy today. Information security professionals speak the language of IT and security. Information privacy professionals speak a language based in law and compliance. As a result, fluency between the two domains – – the ability for security and privacy professionals to understand each other – – is limited.

[ RELATED: Keeping humanity in the privacy debate ]

And so we come to what I call the “critical conversation” in the information economy: the dialogue between security and privacy. Understanding the difference between privacy and security is just the first step. We must create fluency between information security and privacy professionals. Resolving enormous societal issues such as the appropriate balance between cybersecurity interests and privacy concerns will never occur without better comprehension between these domains.

So let’s start with small steps. For information security pros, I encourage you to walk across the building and introduce yourself to the privacy team. Create a dialogue that will help you understand the role and function of privacy within your organization. Help educate the privacy team on the challenges you face within an information security function. 

And whatever you do, don’t suggest that a good security program means privacy has been solved.


As President and CEO of the International Association of Privacy Professionals (IAPP), J. Trevor Hughes leads the world’s largest association of privacy professionals, which promotes, defines and supports the privacy profession globally.

Trevor is widely recognized as a leading privacy expert, appearing at SXSW, RSA and other privacy and technology events. He has contributed to media outlets such as the New York Times, TechCrunch and WIRED and has provided testimony on issues of privacy, surveillance and privacy-sensitive technologies before the U.S. Congress, the U.S. Federal Trade Commission, British Parliament and more.

Trevor previously served as the executive director of the Network Advertising Initiative and the Email Sender and Provider Coalition. He received his undergraduate degree from the University of Massachusetts, Amherst and his Juris Doctor from the University of Maine School of Law, where he is also an adjunct professor and member of the Law Foundation Board.

The opinions expressed in this blog are those of J. Trevor Hughes and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.