FIVE LESSONS

I Learned Transitioning
from Security to Privacy
James Park, CIPT, Microsoft
With the ever-evolving privacy requirements changing the global landscape, many information
security professionals are being tasked with adding to or leading information privacy programs.
It may seem like a natural progression, but there are five lessons I had to learn when I made
my transition from working in the security and audit (with a focus on security) fields to
information privacy.

1. Personally identifiable information 2. Understand why personal

has different meaning for different groups information is being collected

Depending on the team you’re working with, the As an information security professional,
term PII might be thrown around during con- whenever I heard personal information was
versations, but the actual definition of the term being stored, the immediate reaction was to
may not be fully defined. It’s extremely import- ask what measures were in place to protect the
ant to set expectations up front and determine information. It’s only natural. The gut reaction
what is considered PII for the team and the is to ask a slew of questions about controls in
organization. place for encryption, key management, logical
access procedures, log monitoring, vulnerability
management, and the list goes on.

But I learned once I led a privacy program, the

“When I first took on an very first question to ask should be why the
EU Data Privacy Program, data is being stored. It’s extremely important
to understand why the personal information is
it was key to explain to
being collected and for what use. If teams cannot
everyone involved that any answer, then it may also mean that they did not
piece of information leading properly give notice or obtain consent to use
to an individual could be the personal information, two very important
principles of privacy.
considered PII.”

3. Review data stores to determine

if the personal information is
There were certain teams that didn’t fully grasp still needed
what would be considered PII, mainly focusing
on Social Security numbers or credit card num- A common mistake I made when working with
bers. When I first took on an EU data privacy teams was to only verify that information
program, it was key to explain to everyone in- security controls were adequate in protecting
volved that any piece of information leading to personal information. I learned quickly to
an individual could be considered PII. pivot and ask whether or not certain data
stores still needed the information, especially
As a security professional, PII usually meant if the information had come from a separate
sensitive PII, such as driver’s license numbers, repository.
Social Security numbers, or credit card numbers.
When working in my privacy program, and It goes back to the second point of
interacting with the information security team, understanding why the information is needed. As
I have to make sure that their definition of PII part of a standard notice, one of the statements
aligns with other teams’ before proceeding with is that the organization will only store personal
any security requirements. information until it’s no longer needed. If the

International Association of Privacy Professionals

information no longer serves a purpose, then regulations on which the legal team can
it should be purged. If not, it would violate the shed light.
notice that’s been communicated, even if it is
protected and secured. 5. Review processes to determine where
personal information is being shared
4. Work heavily with the legal team
With the rise of big data, personal information
When working with information security has become more and more of a valuable asset.
teams, legal teams were rarely involved during Teams within different organizations are sharing
discussions. The idea was that they were the more and more data, within which personal
team to reach out to in the event of a breach, information is included.
or if there was a possibility for negative press.
For information privacy, it’s important to work As an information privacy professional, it is
heavily with the legal teams continuously. important to understand how the information
is being transferred and whether each copy
Even from the initial stages of a project, is being stored securely. As an information
when teams are planning out what personal privacy professional, it is important to take a
information they need, it is important to discuss step back and review why the information is
with the legal team to determine any regional being shared in the first place. If a team is taking
requirements. Different countries have different in personal information for purposes that are not
requirements for the privacy of their residents. communicated back to the consumer, it has to be
It’s also vital to have them involved to discuss disallowed.
language for the privacy policy and notices given
to the consumer. Depending on the country Even if teams plan to use the most secure
that the personal information is being collected methods, if the purpose is unknown or not
from, and transferred to, there may be additional aligned with the notice communicated, then
efforts need to be stopped. Many of the
diffculties I’ve faced have been with this
“Because privacy and security particular point — explaining the difference
between security and privacy. Stakeholders
are sometimes thought to be the
and users of the data would argue that if they
same, be prepared to teach others followed the information security policy, they
and explain the differences.” could consume personal information. To them,
privacy was synonymous with security.

Finally, I’ve learned to be patient and prepared to be a student and teacher at the same time.
While you may have been tasked to add or transition a security program into a privacy program,
understand that it is a change in profession. And like any change in job role, there are many
differences that must be learned. In addition, because privacy and security are sometimes thought
to be the same, be prepared to teach others and explain the differences. Bring examples of cases
where privacy was violated versus when security was breached to try to explain the differences.
Changing one’s mindset from an information security-focused individual to an information privacy-
focused one is a difficult but rewarding experience.

DISTINGUISH YOURSELF
With CIPT Certification.
iapp.org/certify/cipt/

International Association of Privacy Professionals