Data Privacy Day and Change Your Password Day arrive at a time when privacy concerns have shifted from niche technical debates to everyday business and personal risk. As digital services expand and data becomes increasingly distributed, the threat to privacy grows. Identity compromise, human behaviour and loss of data control now sit at the heart of many of today’s most damaging security incidents.
The uncomfortable truth is that most breaches no longer begin with attackers smashing through hardened defences. Instead, they exploit trust.
Corey Nachreiner, CSO at WatchGuard Technologies, explained that data privacy risk today is “driven by identity compromise and the misuse of trusted access.” Threat actors are relying more heavily on social engineering and AI-enabled deception to steal credentials, impersonate legitimate users and quietly exfiltrate data.
These attacks are rarely sophisticated at the point of entry. A deceptive link, a malicious download or a convincing impersonation is often enough. That is why protecting data now requires a more unified approach, bringing together identity, endpoint and network protections, alongside strong user awareness. When security layers operate in silos, gaps inevitably appear — and attackers are quick to exploit them.
Nachreiner noted that simple controls still make a significant difference. Verifying download sources, enforcing multi-factor authentication and maintaining strong credential hygiene can stop attacks early, before credential theft escalates into a data breach, regulatory exposure or lasting reputational damage.
This focus on credentials makes Change Your Password Day particularly relevant but not in the way it is often framed.
Darren Guccione, CEO and co-founder at Keeper Security, highlighted that most account compromises do not rely on advanced hacking techniques. “In the vast majority of cases, it is not because of advanced hacking techniques, but because the same password is reused across multiple services,” he said. Once one platform is breached, attackers immediately test those credentials elsewhere, turning a single incident into widespread account takeover, financial fraud or identity theft.
The challenge is that managing dozens of strong, unique passwords without help is unrealistic. This is where tools, rather than memory or discipline, matter most. Password managers allow users to generate and store unique credentials for every account, while multi-factor authentication provides a critical second layer of defence. Together, they significantly reduce the risk of compromise.
Good personal security, Guccione argued, should be simple, repeatable and built into daily behaviour — not dependent on occasional password changes or constant vigilance.
Yet privacy risk is not only a technical or credential problem. It is also deeply tied to how data is owned, shared and controlled.
Michael Murphy, Deputy CTO at Arqit, pointed out that today’s data landscape looks very different from even a few years ago. Infrastructure is more distributed, regulation is tighter and geopolitical boundaries matter more. In this environment, data privacy cannot be separated from data ownership and control.
Too often, organisations hand data over to third parties without fully understanding how it is stored, accessed or deleted. When visibility is lost, so too is control. Organisations may not know where their data resides, who can access it or how securely it is being handled and that loss of control creates real risk.
Encryption remains a critical safeguard, but only when applied correctly. Protecting data at rest or in transit is no longer sufficient on its own. Murphy stresses the need to consider how data is protected while it is being processed, particularly in shared or cloud environments. Rethinking shared ownership models allows organisations to use third-party infrastructure while retaining meaningful control over their data.
For individuals, the stakes are becoming increasingly personal.
Brian Higgins, security specialist at Comparitech, reflected on how dramatically attitudes have shifted over the past decade. Where sharing was once the norm, high-profile breaches affecting nation states, corporations and individuals have left many people concerned — and increasingly wary — about who has access to their data.
Higgins said that initiatives like Data Privacy Day should act as catalysts for better personal data hygiene. That includes enabling multi-factor authentication wherever possible, regularly reviewing platform privacy settings, purging unknown online contacts, and considering credit monitoring where feasible. Just as importantly, people should understand what to do in the event of a data breach, however small.
“Personal responsibility is the best defence these days,” Higgins said. “Your data is far too valuable financially, corporately or ideologically for anyone else to be relied upon to protect it for you.”
Chris Hauk, consumer privacy advocate at Pixel Privacy added that people should not rely on their country’s government to protect them with new rules and regulations, as they are really not there to help you. He said: “Nor can users rely on the companies they deal with to keep their data private. We have seen thousands of data breached in recent years, exposing just how little organizations know about protecting their customers’ personal info.
“Stay private by using a VPN to hide your travels around the web. It’s no business but your own as to what you’re doing on the internet.”
Inside organisations, human behaviour remains the decisive factor.
Tim Ward, CEO of Redflags, noted that most privacy failures do not start with exotic exploits, but with everyday decisions. While organisations have invested heavily in technology and policy, the real battleground is how people interact with data in the flow of work.
Ward argued that protecting personal data requires moving beyond annual training and static policies. Instead, privacy needs to be designed into daily workflows using behavioural insights, just-in-time guidance and smart guardrails. By providing live, in-context support at the moment someone is about to share, download or move sensitive information, organisations can make the right choice the easiest choice.
Emerging technologies also bring both new risks and new opportunities.
Chris Linnell, principal consultant at Bridewell, pointed to the rapid adoption of AI across UK industries as a major privacy inflection point. As agentic and AI-driven systems become embedded into business processes, data privacy extends beyond compliance into questions of trust, governance and accountability.
He said: “For privacy and compliance teams, this shift presents a real opportunity. While legal requirements have not fundamentally changed, the way organisations meet them can. Agentic AI can take on routine compliance tasks, freeing specialists to focus on embedding privacy by design, working closely with the business and continuously monitoring compliance in more meaningful ways. Used responsibly, AI has the potential to make data protection both stronger and more efficient.”
Alongside these strategic considerations, practical action remains essential. KnowBe4’s CISO advisors emphasised that Data Privacy Week is not about sweeping transformations, but about small, consistent steps that reduce risk over time.
For organisations, this includes practising data minimisation, understanding data flows, investing in human-centric security training, being transparent about privacy practices and maintaining strong encryption and incident response capabilities. Less data, better visibility and better-informed people all reduce exposure.
Taken together, the message from Data Privacy Day and Change Your Password Day is clear. Privacy and security are everyday operational responsibilities shaped by identity, behaviour and control. By embedding good security habits into daily life, both at work and at home, organisations and individuals alike can take meaningful steps to protect the data that underpins modern digital society.
Simon Pamplin, CTO of Certes, concluded, “Data Protection Day is an opportunity to look beyond today’s threats and think about what happens to our data in the future, particularly as we move closer to a post-quantum world. What we see time and again is criminals pulling together information from multiple breaches and packaging it into large data sets that can be sold or released. That data often comes from a mix of public systems, organisational records and user networks, which means the impact can be far wider than any single incident.
Too many organisations still rely on perimeter-based security and assume that keeping attackers out of the network is enough. When those defences fail, as they inevitably do, the data itself is often left exposed and readable. In those situations, the real issue is not just that a breach happened, but that the stolen information can actually be used.
For businesses, this is about long-term responsibility and trust. For consumers, it is a reminder that the personal data you share today can resurface years later. As breaches continue to happen, the critical question becomes whether stolen data is usable. Data-centric, quantum-safe protection helps ensure that even if information is taken, it is worthless to criminals, limiting the damage both now and in the future.”
