Authored by: K Royal, technology columnist for, and Director at TrustArc.

This article was published as part of ACC’s “This Week in Privacy” series, a new column for in-house counsel who need advice in the privacy and cybersecurity sectors.

Question: If a company can only afford one data protection person, should that be security or privacy?

Answer: Security. However, no security is infallible. You will be breached. In fact, you probably already have been and have simply not discovered it. When you are breached, it is the privacy part that will get you in trouble when it comes to protecting personal data. I often hear security people scoff at privacy requirements, because they can “lock it up” tight. The problem is you can steal jewelry all you want and lock it up at home securely. It’s still illegal for you to have the stolen goods. And when the stolen jewelry is found — you will be in lots of trouble.

It is 99.99 percent possible that your systems have more data than needed that is retained for too long. This data is then combined with other personal data to create some type of profile. This is where companies face issues with breach notifications, regulatory action, and public retaliation – either through the media or plaintiffs’ lawyers. So yes, please make sure you lock down the data you do have, but also clean what you currently have, and then collect, use, and retain what is necessary.

For further reading, download ACC’s White Paper on “What Every GC Needs to Know About Third Party Cyber Diligence.”