PRIVACY PODCAST EPISODE FOUR: The Blur Between Privacy and Security
Key Takeaways
- The traditional separation between privacy and security is dissolving as technology and regulations force roles and responsibilities to converge. CISOs and CPOs increasingly face overlapping decisions — and overlapping accountability — driven by AI, data‑heavy systems, and fast‑changing laws.
- Organizations widely understand how they protect data, but still struggle to explain why they collect it.
- Regulators, cyber insurers, and global privacy laws now expect companies to justify purpose, minimize collection, and delete unnecessary data.
- Future leaders will require hybrid legal‑technical skill sets and the ability to translate across teams, systems, and disciplines.
A Convergence Fueled by Technology and Regulation
As Aaron Tantleff and Jennifer Urban explained in Episode Four of Foley’s Privacy Week series, rapid technological evolution — AI, automation, data‑heavy platforms — has reshaped what organizations must manage. At the same time, privacy and cybersecurity laws have expanded dramatically, requiring privacy teams to understand systems and security teams to understand legal risk. This has blurred the once‑clear boundaries between roles.
Privacy now governs legitimacy, proportionality, and fairness, while security ensures resilience and detection — but both influence the same controls, from access management to logging. The result: two disciplines that remain distinct but now move in lockstep.
The Hardest Question Isn’t “How” – It’s “Why”
Most organizations can demonstrate how they protect data — through encryption, access controls, and security protocols. But many cannot clearly answer why they collect the data they have.
Coming out of the “collect everything” era, companies often lack a full understanding of:
- What they collect
- Where it lives
- How long it stays
- Whether it serves a legitimate purpose
Even privacy questionnaires frequently reveal gaps: organizations discover data they didn’t realize they held or can’t justify continued retention.
AI has intensified this challenge, making data minimization harder and purpose limitation increasingly complex. As Urban notes, the hardest conversations are often around why data is collected — not how it’s secured.
From Data Hoarding to Data Strategy
Global laws and cyber insurers are pushing organizations to shift from stockpiling data to practicing disciplined data strategy. This includes:
- Defining clear business purposes for each category of data
- Limiting secondary uses
- Reducing data retention
- Deleting information once its purpose has expired
- Vetting vendors and AI partners for appropriate safeguards
Tantleff emphasizes that mature organizations are the ones willing to delete data they no longer need — an area where many still struggle.
Building the Next Generation of Data Leaders
Tomorrow’s security and privacy leaders must be part technologist, part lawyer, part strategist, and part translator. Organizations are already hiring attorneys with engineering backgrounds, privacy professionals with technical fluency, and security experts with policy experience.
Regulators now view a lack of high‑level privacy leadership as a warning sign. Many industries are elevating privacy and security roles to the C‑suite, recognizing that these domains are critical to trust, compliance, and long‑term business sustainability.
Risk Will Never Be Zero – But it Must Be Understood
Both partners noted that security can never be perfect. Organizations must accept a baseline level of risk — but they must understand it, document it, and manage it.
True stewardship is no longer about collecting everything “just in case.” It’s about being able to articulate:
- Why the data exists
- What risks it introduces
- How it is being minimized
- When it should be deleted
And as both experts note, deletion — letting go of unnecessary data — is often one of the strongest indicators of organizational maturity.
Conclusion
The boundary between privacy and security has blurred not by accident, but out of necessity. Modern enterprises face unprecedented complexity, and neither discipline can succeed without the other. The organizations that will thrive in this environment are those that embrace unified governance, hire hybrid thinkers, and shift from defensive checklists to thoughtful data strategy.
Most importantly, they will be the organizations willing to slow down, justify why they collect data — not just how they protect it — and make responsible decisions that build trust for the long term.
Interested in staying ahead of the latest privacy developments?
Listen to Foley’s Privacy Group podcast series, where our attorneys break down evolving regulations, emerging risks, and what they mean for your business.
