In an interconnected world of instant information, information privacy and security are elements under crossfire: while there’s increasingly a demand for access to personal information in order generate products more adjusted to the tastes of people, and security requires a knowledge of records and movements of transactions as a prerequisite for monitoring and control by the state.

However, that crossfire does not stop the flow of information.

Both security and privacy set different and complementary domains of action, requiring a particular specialty level to develop a set of practices that conceptualize and materialize the exercise of access and control. Information security and privacy create a challenge for engineering and corporate practice that should attend the statements of a company’s corporate governance where the information is defined as a strategic asset and a source of value to capitalize new and renewed business strategies.

In establishing the limits of the performance of the privacy professional and the Information security manager, it’s necessary to understand in detail the basics of each of the roles and confront the current dynamics of the organization where these two job descriptions appear to comply with a legal requirement or conform with some good international practice required to compete in a particular market.

Understanding that privacy is not confidentiality and information security is not privacy is, therefore, a reflection to be undertaken.

Privacy  is a connotation of larger organizations, which requires a detailed understanding of the law that assists citizens against the law of nations, while security is a practice of the protection of information that provides care for the declared strategic asset.

In reason with that, we can see there will be practices of information security that apply to the exercise of privacy, and privacy concepts similar to the principles in information security.

Information Security and Privacy: Two Different Domains

After reviewing the annotations of Prof. Konstantinos Lambrinoudakis in the Department of Digital Systems of the University of Piraeus in Greece, it is clear that information security and information privacy belong to different domains.

While the security of information refers to the protection of information stored, processed and transmitted to comply with the functions and purposes of the information systems in an organization, the privacy of information is related to the protection of the information related to a subject's identity. Similarly, the security of information is an important tool to protect information assets and business objectives, while privacy is focused on the safeguarding of individual’s rights when it comes to the same information.

Currently, information privacy has been addressed as a legal issue, which has not been handled properly by information security standards. While the principle of confidentiality seeks to prevent the disclosure of sensitive data to unauthorized entities, it doesn't focus on hiding the identity of the owner of the data or making it impossible to link the data and its owner. So the principles of information security such as confidentiality, integrity and availability are not equivalent to the features that should be secured in information privacy, such as anonymity, the inability to link, the inability to distinguish, the inability to track and the pseudonimia. Therefore, while the exercise of information protection strategies ensures correct access, privacy protection demands the blurring of data to avoid identifying it, dismantling all kinds of links between data and its owner, facilitating the use of pseudonyms and alternate names and allowing access anonymously.

Information systems that meet security and control mechanisms do not necessarily meet the demands of privacy compliance. In this sense, the information privacy, like the establishment of rules governing the treatment of personal information, demand companies to design alternative mechanisms to safeguard the identity of persons and access to sensitive information in order to prevent discrimination or affect privacy.

So, designing an information system with privacy by default cannot be done exclusively with information-security mechanisms. You will need to integrate the conditions listed previously, among other actions, to:

• Inform the state of privacy in the information system.

• Establish operations and simple language to learn and understand about the privacy options that it has available.

• Confirm options that should check before proceeding with actions that may be contrary to their privacy.

• Provide effective outputs of any selected option at any time during the implementation to protect your privacy.

• Destroy any personal information that has been used in development of a working session.

In short, we could say:


Information Security



Is a process

Is a right


Protection of business information

Protection of personal information

Features that should be ensured

Confidentiality, integrity, and availability

Unlinkability, untraceability, unobservability, anonymity and pseudonimia

Responsible for

Chief Information Security Officer (CISO)

Personal data protection delegate (PDPD) / Chief Privacy Officer (CPO)


Data centric


Good practices

Series ISO 27000, NIST and ENISA Documents

ISO/IEC 29100 Information Technology –Security Techniques –Privacy framework




Figure No.1 Information Security V.  Privacy 

The Information Security Officer and Privacy Officer

Understanding that we have two different domains of knowledge that complement each other, it is important to detail the two roles or positions responsible for both information security and privacy. In this organizational exercise, it is important to understand the key objectives of each figure, their achievements and the challenges illustrating common and divergent areas.


Chief Information Security Officer

Chief Privacy Officer


Ensure a process

Ensure a right


Protection of business information

Protection of personal información

Key aspects to ensure

Protection of information assets

Focus on the business value

Trusted advisor

Guarantees for the exercise of the right of privacy

Privacy program

Verification of compliance of privacy practices


Political intelligence

Proven experience in security and control (minimum of 12 years)

Business and technical language

Tactical and legal intelligence

Proven experience in privacy (minimum of 12 years)

Legal and technical language




Good practices

Series ISO 27000, NIST and ENISA Documents

ISO/IEC 29100 Information Technology –Security Techniques –Privacy framework


Professional in any discipline

Graduate in business

Lawyer or IT Professional

Graduate in law and/or business




Figure No.2 CISO V. CPO

On the one hand, if we review the factors that influence the risk of privacy management, we find that ISO 29100 provides a framework for action covering topics such as legal factors and regulatory, contractual factors, factors of business and other related systems of internal control, technical standards and management of personal data.

The privacy manager will have extensive interaction with the legal department, a key ally to implement and develop the distinction of privacy in an organization. That’s in addition to the fact that, in the exercise of their function, privacy managers must be tuned and become part of the internal control corporate systems as part of the requirements of legal compliance that affect the company transversely.

On the other hand, when we talk about the information security executive, usually—and wrongly—we mean a person with an eminently technical profile. However, the head of information security moves under the declaration that the information is an asset; key risks associated with loss or leakage of information and as record must ensure the aspects of compliance, security and control against regulatory requirements and legislation, both internal and external.

In this sense, the CISO should establish the threshold of risk allowed by the organization against the materialization of risks identified that threaten the protection of the information. This statement must be mediated by a business impact analysis, as well as by the expectations of the first management level of the company, in order to establish routes necessary to maintain a known level of exposure and ensure in daily management elements to manage identified risks.

These two organizational figures, according to SHEY and ROSE, are charges that should be reported to the first level of the company every time that the responsibilities and impacts of its management directly affect corporate governance, potentially compromising the image of the corporation.

As a privacy officer seeks to identify the points of responsibility that the organization has for the treatment of personal data, the security officer identifies and secures the organization's relevant information. Both should develop the organizational culture of privacy and security; establish a reference framework to identify, monitor and analyze emerging threats, and verify the correct application of the practices key for each domain.

Info-Sec Officer and Privacy Officer, Together or Separate?

There is currently an international trend that seeks to establish a consolidated view of the areas of corporate compliance. This exercise shows an executive of the first corporate level, which brings together all the themes that must meet legislative and international practices in order to deliver a unified view of the state of business compliance.

In this tenor, the vice president of corporate compliance ensures corporate practices against such various issues as security of information, privacy, ethics, fraud, money-laundering, compliance with related international laws required to operate, indicating effective points and those of improvement where they are evident, with greater clarity and greater exposure of the company that can generate nonconformity and compromise the goals of the organization.

A unified view allows you to combine efforts of culture intervention, streamline practices, adjust and tune controls and increase the effectiveness and reliability of operations without compromising efficiency. As each theme requires a particular specialty, the VP of corporate compliance will need to understand the variety of subjects under its responsibility, seeking to integrate a joint view that reveals what is key to the organization without losing the specialization of knowledge of each revised subject. Therefore, a unified area of information security and privacy of information suggests advantages as those mentioned previously but has limitations that must be analyzed and known—not to mitigate the risks inherent in this merger but to manage them with concrete actions that maintain a known level of exposure—and procedures in place when they materialize.

The merged world of security and privacy faces risks and challenges in the legal system. While privacy is a fundamental right to information self-determination, security is good practice.

Therefore, the level of importance and assessment of an incident—security or privacy—affect the executive level, based on its impact, possibly leaving it to prime one or the other in a specific situation, compromising its visibility in an organizational context. On the other hand, this union of knowledge domains requires specialized profiles or knowledge of the subject, which must give priority to corporate compliance demands on the relevance and importance that each theme for the development of the business of the company being in a joint view; i.e., we will have to build a distinction that adds the benefits of practices of both subjects, and the efforts where one is dominant and the other is not will outweigh.

The impact at the technological level against the merger of these two themes can generate charges and excessive controls in the execution of business processes supported by information systems if there are not established synergies between these two domains. We can notice a loss of business speed that can blur the efforts both areas make to protect the company against situations that compromise its image and good name. So, merging the two areas is a decision that should be informed; that is, the organization must be aware of the potential and risk that this implies to harmonize two compliance issues.

Final Reflections

We are at a moment in history where the information privacy and security face a territorial challenge where data is converted into the essence of that conquest. While the security plan focuses on authorizations and access control, privacy reflects and requires explicit and informed consent to the processing of information.

In this context, privacy without security becomes a sterile rights exercise that does not find a real hold of practical implementation allowing the person to require adequate treatment of information. Security without privacy is a discipline of information protection, which focuses on the protection of a key asset but not a way that transcends to the implications of this exercise in the person.

Both privacy and security require exercise of joint construction, which allows matching the relevancy of both domains to develop a joint vision, allowing data to prevail as a source of competitive advantage, i.e., articulate the inherent relationships between people, processes and technologies to incorporate practices that move the organizational culture toward the preservation of data as the basis for business strategy.

Written By

Jeimy Cano


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»