Let’s start with basic definitions.

Data protection: the process of safeguarding important information from corruption, compromise, or loss. This process includes backup and recovery as well as controls around data security and data integrity.

Data privacy (a.k.a. information privacy): the process of managing certain types of data to ensure that it is not misused.

Note that while data protection provides tools and policies to safeguard data, data privacy restricts access to sensitive data.

Data protection = data access restriction

The COVID-19 pandemic forced companies to shift their focus on data protection to support remote workers, adopting a digital-first, remote-first approach. As confirmed by IBM’s 2021 Cost of a Data Breach report, this approach puts data of all types at greater risk of cybersecurity attacks, including malware, ransomware, and phishing schemes. With the average data breach taking upwards of 287 days to identify and contain, it’s obvious how critical the issue of data protection is for businesses today.

Cybersecurity experts agree that developing a data protection strategy to prevent attacks is imperative for businesses of all sizes. Here’s what you’ll need to do to get started:

• Understand the data you have
• Create a risk-based strategy to manage business operational risk, reputational risk, and legal/compliance risk
• Take a holistic business approach, bringing together information technology, legal, and security expertise
• Foster a security-aware working culture
• Develop strong information governance for both physical and digital data
• Build up your defenses in depth
• Factor remote workers into your strategy

Data privacy: defining who gets access

One of the many reasons data needs to be protected is to protect individuals’ privacy. 

Businesses need personally identifiable information (PII) such as names, addresses, social security numbers, telephone numbers, and email addresses to service customers. The loss of PII can result in substantial harm to customers, employees, and business.

To help protect this data, there are many laws and regulations around data privacy, focusing on either geography or industry-specific sectors. Here are a few examples:

Geography focus:

• European General Data Protection Regulation (GDPR): ushered in a new era of data privacy, transforming the rules for using personal data and the fines for non-compliance (see Iron Mountain’s GDPR Resource site for details)
• California Privacy Rights Act of 2020 (CPRA): first US privacy law of a similar magnitude to GDPR

Industry-specific focus:

• Health Insurance Portability and Accountability Act (HIPAA)
• Family Educational Rights and Privacy Act (FERPA)

More data privacy issues have arose as companies continue to struggle during a global pandemic. Rightfully, privacy budgets doubled in 2020 to an average of $2.4 million. 

To fully safeguard customer and employee information simultaneously, companies need to take both data protection and data privacy seriously. Data breaches are no longer isolated events, and when data is stolen or leaked, there can be serious repercussions.

The COVID-19 pandemic has ratcheted up the need for greater efforts around data protection and privacy. As organizations grapple with new ways of doing business, they will likely continue to support remote and digital-first workplaces for the foreseeable future.

Tara Holt is a former senior product marketing manager at Iron Mountain.