Data Privacy vs. Data Security: Distinctions and Overlap
Data privacy and data security are legally and operationally distinct disciplines that share significant technical infrastructure and regulatory overlap. Organizations subject to frameworks such as HIPAA, the GDPR, or the California Consumer Privacy Act must satisfy obligations from both domains simultaneously, yet the enforcement authorities, professional standards, and control mechanisms governing each differ in fundamental ways. This page maps those distinctions, describes the mechanisms through which each domain functions, and identifies the decision boundaries practitioners use when assigning responsibility and controls.
Definition and scope
Data security is the body of technical and administrative controls that protect data from unauthorized access, alteration, destruction, or disclosure — regardless of whose data it is or what consent arrangements govern its use. The National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 frames data security as a function of protecting the confidentiality, integrity, and availability (CIA triad) of information assets. Controls encompass encryption, access management, network segmentation, intrusion detection, and audit logging. Enforcement authority over data security obligations flows through sector-specific regulators: the Department of Health and Human Services Office for Civil Rights (HHS OCR) enforces the HIPAA Security Rule (45 CFR §§ 164.302–318), the Federal Trade Commission (FTC) enforces the Gramm-Leach-Bliley Act Safeguards Rule for financial institutions, and the Securities and Exchange Commission (SEC) enforces cybersecurity disclosure rules for public companies under 17 CFR § 229.106.
Data privacy governs the rights of individuals over the collection, use, retention, sharing, and deletion of personal information. Where data security asks is this data protected from unauthorized access, data privacy asks is this data being used in ways the subject has authorized or that law permits. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) and enforced by the California Privacy Protection Agency (CPPA), grants California residents rights to access, delete, correct, and opt out of the sale of their personal information. At the federal level, the FTC Act Section 5 prohibition on unfair or deceptive practices has been applied to privacy violations independent of a dedicated federal privacy statute.
The scope overlap is substantial: a breach of data security — an unauthorized disclosure of personal health records, for example — simultaneously triggers data security incident response obligations and data privacy breach notification requirements under HIPAA and applicable state law. The data security providers on this site catalog service providers operating across both domains.
How it works
The mechanisms of each discipline operate through distinct but interconnected layers.
Data security mechanisms follow a control-based model structured around three categories recognized by NIST SP 800-53, Rev. 5 (csrc.nist.gov):
- Technical controls — encryption at rest and in transit, multi-factor authentication, role-based access control, endpoint detection and response, and network monitoring tools.
- Administrative controls — security policies, workforce training, risk assessments, incident response plans, and vendor management programs.
- Physical controls — facility access restrictions, hardware disposal procedures, and environmental safeguards.
Data privacy mechanisms follow a rights-and-consent model structured around:
- Notice and transparency — privacy policies and data processing disclosures informing subjects of collection purposes.
- Consent and lawful basis — documented legal bases for processing (consent, contract, legitimate interest, legal obligation) as required under frameworks such as the GDPR (Regulation (EU) 2016/679, Article 6).
- Data minimization and retention limits — collecting only what is necessary and deleting it when no longer required.
- Individual rights fulfillment — operationalizing subject access requests, deletion requests, and opt-outs within statutory timeframes.
- Data protection impact assessments (DPIAs) — required under GDPR Article 35 for high-risk processing activities.
The outlines how these frameworks intersect within the service categories indexed here.
Common scenarios
Healthcare records management — A hospital must implement HIPAA Security Rule safeguards (data security) while simultaneously honoring patient rights to access and amend their records under the HIPAA Privacy Rule (45 CFR Part 164, Subpart E) (data privacy). The two rules share a common enforcement authority — HHS OCR — but impose separate compliance workstreams with distinct documentation requirements.
Retail and e-commerce — A retailer processing payment card data must meet PCI DSS technical security standards while complying with CCPA data privacy obligations for California residents. PCI DSS governs how card data is secured; CCPA governs whether and how that data, combined with purchase history, can be shared with or sold to third parties.
Cloud service contracts — A data processor (cloud vendor) and data controller (enterprise customer) must negotiate data processing agreements that address both the security obligations the processor will meet (encryption standards, breach notification timelines) and the privacy obligations governing transfers of personal data — including cross-border transfer mechanisms required under GDPR Chapter V.
Ransomware incidents — An encrypted-system ransomware attack that does not exfiltrate data is primarily a data security incident. If the same attack involves exfiltration of personal records, it triggers data privacy breach notification obligations in 47 states that have enacted breach notification statutes, plus HIPAA notification requirements if protected health information is involved. The distinction between a security event and a notifiable privacy breach depends on whether personal information was accessed or acquired by an unauthorized party — a determination that requires forensic analysis, not just recovery of systems.
Decision boundaries
Practitioners and legal counsel use four primary criteria to classify a given obligation as data security, data privacy, or both:
| Criterion | Data Security | Data Privacy |
|---|---|---|
| Governing question | Is data protected from unauthorized access? | Is data used in authorized ways? |
| Controlling framework | NIST CSF, HIPAA Security Rule, PCI DSS, SOC 2 | GDPR, CCPA/CPRA, HIPAA Privacy Rule, FTC Act §5 |
| Primary enforcement trigger | Breach, vulnerability, or control failure | Unauthorized collection, use, or failure to honor rights |
| Professional discipline | Information security, IT, cybersecurity | Privacy law, compliance, data governance |
Three boundary conditions require careful analysis:
Anonymization and de-identification — Data that has been successfully de-identified under HIPAA Safe Harbor standards (45 CFR § 164.514(b)) is no longer subject to HIPAA Privacy Rule requirements, but it remains subject to data security controls because re-identification risk persists. De-identification is a privacy mechanism; protecting the de-identified dataset is a security obligation.
Third-party data sharing — Sharing data with a vendor who applies strong encryption (a security control) does not satisfy data privacy requirements if the sharing lacks a lawful basis, contractual protections, or required disclosures. Security adequacy does not substitute for privacy compliance.
Incident response scope — When a security incident is detected, the data security team determines containment and remediation. Privacy counsel determines notification obligations based on whether personal information was implicated and whether the incident meets statutory definitions of a "breach." These determinations run in parallel, not in sequence. The how to use this data security resource page describes how professionals navigating both domains can locate relevant service providers within this index.