Awareness, action and the future of personal data protection

Data privacy is frequently conflated with data security, but while they are related, they are distinct. Data security focuses on protecting information from unauthorized access, breaches, or loss. Data privacy, by contrast, focuses on how data is collected, used, shared, retained, and governed. Security focuses on keeping malicious actors out, while privacy ensures that processing by authorized users meets individuals' expectations. One of the more elegant descriptions of privacy comes from 1993’s Cypherpunk Manifesto, which describes Privacy as “the power to selectively reveal oneself to the world.”

Individual data subjects in environments like ours create, share, and interact daily with myriad categories of personal data, including:

• Educational and employment data, such as grades, credentials, evaluations, and payroll records
• Financial and identity information, including bank details, government identifiers, and payment histories, as well as immutable characteristics like physical and biometric information
• Behavioral and usage data, such as browsing patterns, geolocation, learning analytics, AI inputs, and application telemetry

What complicates privacy is not just the volume of data, but its movement. Information routinely flows across and between platforms, vendors, cloud providers, analytical tools, and institutional boundaries. Each handoff introduces new risks, obligations, and questions about oversight, accountability, and ownership. The stewardship of this extensive trove of personal data while supporting and enabling Principled Innovation™ at scale is at the core of institutional privacy.

Unlike cybersecurity, many privacy failures are not caused by advanced technical attacks, but by cultural and procedural gaps: unclear policies, inconsistent practices, or a lack of shared understanding. Overly permissive data sharing, mistaken disclosures, inadvertent regulatory violations, and ad-hoc workflows often stem from insufficient awareness or organizational expedience rather than malicious intent. That said, bad actors are aware of these gaps and exploit them for their malign purposes.

User awareness and informed consent are critical to resolving these problems. Individuals should understand what data is being collected, why it is being collected, how long it will be retained, and who will have access to it. Regardless of regulatory requirements, data privacy is something we should strive towards for multiple reasons, including the innate belief that privacy – the power to selectively reveal oneself – is a fundamental human right. Transparency builds trust; ambiguity erodes it.

Recognizing this, organizations are increasingly embedding privacy education into onboarding, annual training, and broader digital literacy initiatives. Many of the privacy principles supported by comprehensive privacy regulations are the same principles that have been recognized for decades, and the practice of these principles is at long last catching up. Privacy is no longer treated as a legal footnote, but as a core competency alongside security awareness and ethical technology use.

For years, even decades, the field of cybersecurity has recognized the importance of “human firewalls” and echoed the refrain that cybersecurity is everyone’s job. Privacy truly is everyone’s job, even if they don’t yet know it.

The privacy landscape continues to evolve, introducing new challenges that extend beyond traditional compliance models.

Artificial intelligence and large-scale data analytics rely on vast datasets, often repurposed in ways users did not originally anticipate, or collected second- and third-hand from entities that data subjects never intended to share their data with. Questions about data minimization, bias, explainability, and secondary use are becoming central privacy concerns. Organizations of all types are finding value in answering these questions, assuaging the concerns of the growing population of “privacy actives.”

Third-party platforms and cloud-based services further complicate accountability. Institutions often remain responsible for data protection even when processing is outsourced, requiring stronger vendor assessments and vetting contractual safeguards, all while balancing the need for agility and innovation.

Cross-border data flows add another layer of complexity, as information may be subject to multiple, and sometimes conflicting, legal requirements, which may change depending on the location or residency of the data subject. At the same time, public expectations for transparency, control, and accountability continue to rise, regardless of regulatory jurisdiction.

While privacy frameworks and policies matter, individuals are not powerless participants. Data Privacy Day serves as an opportunity to shift from passive acceptance to active engagement.

Practical steps we can all take include:

• Reviewing privacy settings and application permissions across devices and platforms, disabling any undesired collection or sharing of data
• Taking time to understand, at least at a high level, how services share or monetize data
• Practicing strong digital hygiene, such as using unique passwords and multi-factor authentication, deleting accounts and profiles that are no longer used rather than simply unsubscribing, and exercising your data subject rights
• Before sharing personal data with any entity, ask ourselves, “How concerned would I be if this were shared with a complete stranger or unknown company?”

These actions may seem small, but they can have a significant impact on individuals’ digital footprint and reinforce the idea that personal data has value and that individuals have agency over how it is managed.

Successful privacy protection ultimately requires leadership. The roles of privacy officers, security leaders, risk managers, governance, and compliance professionals are converging, reflecting the interconnected nature of modern data ecosystems and the value of information.

Privacy is no longer just a compliance requirement; it is a component of trust, reputation, and institutional resilience. Organizations that handle data responsibly are better positioned to maintain credibility with students, employees, customers, and partners. This earned trust demonstrates the value of sharing data with organizations that can be entrusted with it and enables even more innovation. The true path forward for any organization is to respect individuals and demonstrate societal value.

Effective governance frameworks are essential. These frameworks must balance innovation with responsibility, enabling the use of data for learning, research, and service improvement while respecting the agency of the individual by enforcing clear boundaries, oversight, and accountability. Done correctly, privacy and innovation are not mutually exclusive: they each empower the other.

One of the most important messages of Data Privacy Day is that privacy cannot be addressed once per year. Technologies evolve, threats change, and expectations shift. Static policies quickly become outdated. This is an opportunity to start or continue conversations with privacy experts across our organizations to collaboratively create new ways forward.

Organizations and individuals alike must adapt continuously - reassessing risks, updating practices, and learning from incidents. Privacy should be integrated into system design, procurement decisions, and strategic planning, not treated as an afterthought.

In this sense, Data Privacy Day is not a finish line, but a reminder to pause, reflect, and recommit to the concept that privacy is something we should strive for.

Data privacy is a shared responsibility. It depends on informed individuals, accountable organizations, and leaders who prioritize ethics alongside efficiency and innovation, understanding that these are not at odds with each other. Awareness is the first step, but ongoing action builds and sustains trust.

By investing in education, embracing transparency, and treating personal data with care, we lay the foundation for a digital future that is not only innovative but also trustworthy, opening doors to uses of data we never thought possible. Data Privacy Day challenges us to move beyond acknowledgment, to start and continue the conversation, and to make privacy a living, enduring practice.