Data security vs data privacy: where IAM controls actually split

TL;DR: Data security and data privacy overlap, but they solve different problems: security protects data from unauthorized access and misuse, while privacy governs lawful collection, use, retention, and disclosure, according to Zluri. The practical lesson is that access control, consent, retention, and review must be governed as distinct control planes, not blended into one.

NHIMG editorial — based on content published by Zluri: Security & Compliance Data Security vs Data Privacy: 4 Key Differences

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

Questions worth separating out

Q: How should organisations separate data security controls from data privacy controls?

A: Organisations should treat data security as the enforcement layer and data privacy as the governance layer.

Q: Why do access controls alone not satisfy data privacy requirements?

A: Access controls only determine who can reach a system or dataset.

Q: How can security teams tell whether access governance is working?

A: Access governance is working when entitlements consistently match business purpose, data sensitivity, and retention obligations.

Practitioner guidance

• Separate privacy policy from security enforcement Assign explicit owners for lawful processing decisions, then map the enforcement controls that make those decisions operational across apps, databases, and SaaS systems.
• Tie access reviews to data purpose and retention Require reviewers to confirm not only whether access is needed, but whether the underlying data should still exist and whether the processing purpose is still valid.
• Treat service accounts as privacy-relevant subjects Inventory non-human identities that can read or export personal data, then include them in review, deprovisioning, and exception workflows rather than excluding them as infrastructure.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• Specific examples of access management controls such as RBAC, just-in-time access, least privilege, and segregation of duties in a SaaS environment.
• Practical guidance on continuous monitoring of access rights and deprovisioning workflows when access gaps appear.
• Examples of compliance alignment with GDPR, HIPAA, and ISO/IEC 27001 in the context of data handling.
• The vendor’s own positioning on how its access management workflow supports security and privacy outcomes.

👉 Read Zluri's analysis of data security vs data privacy →

Data security vs data privacy: where IAM controls actually split?

Explore further

View Full Forum →  |  NHI Foundation Course →