As Data Privacy Day on January 28 casts a spotlight on how enterprises use personal information, security and customer engagement leaders are warning that the biggest privacy risks are shifting from external hacks to the misuse of trusted access and the growing role of AI.
Also known as Data Protection Day, the annual reminder was established by the Council of Europe to encourage “all of us… to safeguard our personal data and uphold our right to privacy.”
Chris Harris, EMEA Technical Director, Data and Application Security at Thales, argues that many customers still don’t feel they have meaningful visibility or choice over how their personal data is used. “Data privacy still feels like a black box,” Harris said.
“Our research shows that a third of consumers don’t understand how their data is managed and only share personal information because they see no other option. That’s not informed consent, it’s quiet coercion.”
Harris added that privacy frustration is already translating into lost business, warning against organizations leaning on lengthy terms and conditions that leave customers in the dark and suspicious about entrusting their information.
“It’s no surprise that 82 percent of people have abandoned a brand over concerns about data use.”
“Trust won’t be rebuilt through longer privacy policies. It will come from making data use visible, understandable and meaningful – clearly highlighting what data is collected, why it’s needed, how long it’s kept and who or what is accessing it,” Harris said.
Building Trust Through Careful Data Handling
Separate research from Zoho suggests 46 percent of organizations in the UK see privacy as important, but just 36 percent say their business complies with all regulations and industry guidelines. Meanwhile, only 43 percent report conducting regular training, and 45 percent have clear and transparent data privacy policies, down from 50 percent in the Zoho Digital Health Study 2025.
Sachin Agrawal, Managing Director at Zoho UK, said the stakes have moved beyond regulatory box-ticking.
“Data privacy is no longer just a compliance requirement, but rather a requirement of building trust with customers. As organisations become increasingly reliant on data and emerging technologies, protecting personal information must be embedded into every aspect of their operations.”
Trust can be won—or lost—at the point of interaction. For customer-facing brands, privacy concerns may surface in the most everyday moments: a text message, a verification code, an unexpected phone call.
“Customers want clarity and control over their information, and agents should only access the minimum data required not only reduce exposure but also deliver more accurate, meaningful results.”
Privacy breakdowns often stem from human and process failures rather than technical shortcomings, Agrawal added.
“When privacy is treated as a core value rather than an afterthought, companies not only reduce risk, but also strengthen customer confidence and loyalty.”
Organizations that prioritise transparency around how they handle data will be better placed to deliver better customer experience, Agrawal added.
Corey Nachreiner, CSO at WatchGuard Technologies, said: “Data privacy risk today isn’t primarily caused by attackers breaking through a firewall; it’s driven by identity compromise and the misuse of trusted access.”
Criminals are increasingly using “social engineering and AI-enabled deception to steal credentials, impersonate legitimate users, and quietly exfiltrate data,” often starting with “something as simple as a deceptive link or download,” Nachreiner said.
Privacy Best Practices That Build Trust
Enterprises need to adapt to the changing threat landscape by moving beyond fragmented security controls and adopting integrated protections that reduce exposure across the data lifecycle.
“This shift is why protecting data now requires a simpler, more unified approach that combines identity, endpoint, and identity protections. When those layers operate in silos, gaps emerge that attackers are quick to exploit.”
Simple measures such as verifying download sources, using multi-factor authentication and maintaining strong credential hygiene can interrupt attackers even when they gain access to credentials, preventing data breaches, regulatory exposure, or long-term reputational damage, Nachreiner said.
Genetec, which provides enterprise physical security software, shared best practices to help organizations protect sensitive data while maintaining effective security operations. Mathieu Chevalier, Principal Security Architect at the company, said:
“Some approaches in the market treat data as an asset to be exploited or shared beyond its original purpose. That creates real privacy risks. Organizations should expect clear limits on how their data is used, strong controls throughout its lifecycle, and technology that is designed to respect privacy by default, not as an afterthought.”
Genetec recommends starting with a clear data protection strategy, designing systems with privacy built in, maintaining strong cyber defenses over time, using cloud services to support resilience and compliance, and choosing partners committed to privacy and transparency.
Privacy Agenda Shaped by AI, Geopolitics and Public Expectations
In its messaging around Data Protection Day, the Council of Europe noted that the risks around personal data have multiplied with AI and wider geopolitical shifts, including “the risk of discrimination or of exposure to disinformation and manipulation.”
Beatriz de Anchorena, Chair of the Council of Europe’s data protection convention consultative committee, said: “2026 finds us at a defining moment… [P]rotecting personal data remains essential to safeguarding individual rights, democratic values, and trust in the digital environment.”
Law firm Norton Rose Fulbright framed data privacy in 2026 as a defining business issue rather than a narrow compliance exercise.
In its view, privacy now shapes customer expectations, regulatory posture, and even how quickly organizations can innovate, particularly as AI systems ingest unprecedented volumes of personal data and identity-based attacks continue to rise.
The firm emphasized that trust is becoming a core source of competitive advantage, noting:
“Customers want transparency about how their data is used, how models make decisions, and how organizations prevent misuse. Companies that can articulate responsible AI practices earn deeper trust and avoid regulatory headaches.”
The firm also highlighted the need to align privacy and security teams to address identity risks through strong governance, continuous monitoring, and behavioral threat detection.
At the same time, Norton Rose Fulbright observed that global privacy regimes are gradually converging around shared principles:
“While regional differences remain, we are seeing a gradual convergence around core principles: transparency, minimization, accountability, and user rights, as well as interaction with product liability considerations in some jurisdictions.”
Organizations that adopt adaptable, principle-driven privacy programs, the firm argues, are better positioned to scale globally and to treat privacy as future-proofing rather than a cost center:
“When teams know the boundaries, they can build faster, with greater confidence and less need for revision or redirection of internal resources and budgets to deal with data breaches and regulatory investigations.”
Across the industry, a common message is emerging: organizations can’t “policy” their way to trust. They need to make data practices comprehensible, minimize access, train staff, and design customer interactions that signal legitimacy—especially as AI-driven workflows and identity-based threats expand the attack surface.
Social media platform TikTok, which has faced persistent scrutiny over its data use, took the opportunity of Data Privacy Day to emphasize its moves to strengthen data security by combining new in-app protections with large-scale infrastructure and independent oversight in Europe.
The company pointed to its Security Checkup dashboard, designed to help users review and harden account settings such as two-factor authentication, device management and suspicious activity alerts. It is also continuing to invest in Project Clover, its multi‑billion‑euro initiative to protect European user data by expanding its European data centre capacity and extending independent monitoring by cybersecurity firm NCC Group.
As Thales’ Harris put it: “In an AI-driven world, transparency isn’t a ‘nice to have’; it’s the foundation of digital trust.”
