Data is now being seen for what it is – a valuable commodity that organisations have a duty to take care of. While data privacy regulates how an organisation uses and handles the data it holds, data protection focuses on the measures taken to safeguard that data. Here experts at Nedap looks at the difference between the two and how each should be handled in terms of access and security.
Data privacy is about defining who has access to what data and how they can use that information. It dictates how personally identifiable information (PII) can be handled – the kind of data often linked to mobile access control credentials, such as a person’s name, address, telephone number, etc. But data privacy can also relate to data held about an organisation, such as financial details, intellectual property or government policy.
In mobile access control, data privacy is crucial. Without it, there are no rules for how the information provided by people needing access can be used, stored, or shared. This means their private details could fall into the wrong hands and the results could include spam emails, identity theft, harassment and more. The knock-on effect for an organisation that’s not ensured data privacy can be reputation damage and reduced trust from employees and customers, not to mention fines.
To help enforce data privacy, many countries have created regulations to govern how organisations can collect, store, use and share data. These include, for example, the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).
Data protection is about keeping confidential information secure and protected from theft, loss or compromise. It’s key to ensuring private data remains private, but easily accessible to the people and processes authorised to use it.
If we consider the data pipeline, then data privacy is at the front end, controlling how data is collected and used. Data protection is at the back end of the pipeline, controlling how data is secured. And this is where data centres come in, because these high-security sites are where data is stored and kept safe on servers.
When you use the Nedap Mobile Access solution, for example, all the data collated from you, your employees and other passholders is held in data centres in The Netherlands. These centres meet stringent certifications for both data privacy and data protection and are monitored continuously to ensure the data is available for use in granting access.
The data you collate and use for mobile access remains yours – the provider of your mobile access control solution just stores it on your behalf. Data in a reputable mobile access is very safe, according to Nedap. The following are examples of the circumstances under which a solution, such as that of Nedap, can keep data safe:
1) Device theft
Mobile passes are protected by the privacy and security features on the mobile device. These are increasingly more advanced and typically involve PIN, password or biometric access. Even if a thief found a way to access a mobile pass, they wouldn’t be able to access the data held on it. And the pass can be suspended remotely to prevent them using it.
2) Data theft, loss or misuse
The provider of your mobile access control solution should store data according to strict standards and guidelines to ensure it’s kept private and protected from loss, theft or misuse. Nedap uses the ECv3 multi-layered encryption scheme, for example, to ensure the confidentiality of personally identifiable information.
3) Snooping by operators and device providers
Providers of mobile service plans and devices can’t see the credentials stored on them – just like they can’t access bank details from banking apps. Neither can they see what people access, or when, via their mobile access credentials.
According to Nedap, the possibilities presented by mobile access control will continue to grow in line with the growth of new technologies and functionalities. To take advantage of these possibilities in a safe, secure way, data privacy must be a priority. It is the duty of mobile access solution providers, and organisations using mobile access control, to protect data privacy – and, in turn, the people using mobile passes.