National Data Protection Day: Experts Comment On Cybersecurity and What’s In Store for the Future of Data Security

The Origins of National Data Protection Day 

The UK’s National Data Protection Day has its roots in European Data Protection Day which started out back in 2007.

The initiative was launched by the Council of Europe to mark the anniversary of Convention 108, a groundbreaking international treaty signed on 28 January 1981 which, for the first time, established legally binding principles for data protection. The idea behind the treaty was to raise public awareness about privacy rights and encourage better data security practices across Europe.

Recognising the growing importance of data protection in an increasingly digital world, the UK followed suit and formally adopted the observance in 2008, aligning with other European nations. As such, the day became a platform for discussing key issues around personal data security, regulatory compliance and cybersecurity threats.

Even after the controversy surrounding Brexit, the UK continues to recognise National Data Protection Day, reinforcing its commitment to safeguarding personal and organisational data. The UK has maintained strict data protection regulations, ensuring businesses and individuals remain aware of their rights and responsibilities.

Over the years, the day has evolved into a crucial moment for organisations, policymakers and experts to reflect on the challenges and advancements in data privacy and cybersecurity. As such, we’ve received comments from a variety of experts in the data protection industry to hear their opinions on the status quo in data privacy and cybersecurity as well as their predictions for what’s to come.

Our Experts

• Greg Clark: Director of Product Management and Data Security at OpenText Cybersecurity
• Kevin Curran: IEEE Senior Member and Professor of Cybersecurity at Ulster University
• Robert Haist: CISO at TeamViewer
• Axel Maisonneuve: Technical Education Contributor at BSV Association
• Gaël Duval: Data Privacy Rights Advocate and CEO at Murena
• Robert Carson: Head of Platform and Effectiveness Practice at KINESSO UK&I
• Drew Firment: Vice President of Enterprise Strategies at Pluralsight
• David Higgins: Senior Director Field Technology Office at CyberArk
• Nick Walker: Regional Director at NetSPI
• Patrick Harding: Chief Product Architect at Ping Identity
• Aileen Cronin: SVP and Chief Privacy Officer at F5
• Mark Beare: GM Consumer at Malwarebytes
• Anthony Cusimano: Director of Technical Marketing at Object First

Greg Clark, Director of Product Management and Data Security at OpenText Cybersecurity

“From the U.S. government’s robust new cybersecurity executive order (which could or could not be implemented with a new administration) to HIPAA, GDPR and AI privacy policies, organisations are navigating increasingly stringent and complex rules that span industries and borders. These challenges can strain resources and create operational risks.

This Data Privacy Week underscores the urgency of embracing an organization-wide privacy-first approach to shift away from complexity, ensure compliance and protect data from persistent cyberattacks.

1. What all organisations can do: Adopt clear, company-wide policies that ensure the secure use and handling of information. This is crucial with the rapid adoption of GenAI tools. A recent OpenText survey found only 27% of employed respondents use privacy tools and settings to protect workplace information when using GenAI.

2. What data privacy and security teams should do: At a practitioner level, simplifying security stacks can help protect information by reducing fragmentation, improving cross-team communication, leveraging contextually relevant threat insights, and increasing transparency within data and other business systems. It also allows them to unify threat detection and response, data discovery and protection, modernising data privacy and strengthening privacy and security postures.

3. What employees should do: Individual employees play a critical role in protecting data. Phishing scams and insider threats are only getting more sophisticated. Whether a large enterprise or a small business, education and awareness across all departments need to be layered on top of AI-powered technologies that detect threats.

A privacy-first approach doesn’t have to slow innovation. By streamlining security stacks and policies, organizations can move beyond complexity to unlock more efficient, integrated workflows.”

Kevin Curran, IEEE Senior Member and Professor of Cybersecurity at Ulster University

“The privacy landscape is constantly evolving. According to a report by IMB, companies are taking, on average, 277 days to identify and respond to a cyber-attack. A previous Cyber Security Breaches Survey conducted by the UK government estimated that approximately 31 percent of businesses were attacked at least once a week in 2022 alone.

Moving forwards, CISOs should have a holistic understanding and approach to cybersecurity as an organisational-wide risk issue, along with the legal and regulatory implications of cyber risks, as they relate to their organisation’s specific circumstances. This includes identifying which risks to avoid, accept, mitigate, as well as specific plans in each case, and also communicating this to senior management.

All aspects relating to the protection of data need to be considered. This includes examining security of physical locations and employee access, data storage, data backups, network security, compliance and recovery procedures.”

Robert Haist, CISO at TeamViewer

Axel Maisonneuve, Technical Education Contributor at BSV Association

“In 2025, privacy faces challenges driven by generative artificial intelligence and the increasing use of cloud technologies. The ability of AI to create fake content, such as images, videos, and text, poses significant risks to the authenticity of information. To mitigate these risks, both businesses and individuals must adopt advanced technological solutions.

A key strategy is the use of blockchain to certify authorship and content integrity. This allows for the secure and transparent registration of documents or media creation, ensuring they haven’t been altered. Additionally, asymmetric encryption is essential for ensuring that AI-generated content is authentic, using private and public keys to verify its origin.

For personal users, it’s recommended to use strong passwords and enable multi-factor authentication (MFA) to protect online accounts. Using VPNs and reviewing app permissions are also key practices to safeguard digital privacy. Furthermore, adopting clear privacy policies and being mindful of the services’ terms will help prevent the unwanted exposure of personal data.

When it comes to cloud platforms, selecting a secure provider is crucial. Ensure the provider offers end-to-end encryption, secure data storage, and compliance with privacy regulations like GDPR. Properly managing user roles and permissions within the platform, and conducting regular security audits to check for vulnerabilities, can help minimize the risk of unauthorized access. Implementing data encryption both at rest and in transit ensures that sensitive information remains protected, even in case of a breach.”

Gaël Duval, Data Privacy Rights Advocate and CEO at Murena

“2024 was a pivotal year for the advertising industry. After years of resistance, Google finally relented on its plan to phase out third-party cookies in Chrome. While the direct ban is off the table, the consumer opt-in model will effectively spell the end for these cookies. Coupled with the increasing popularity of ad-blockers and privacy-focused browsers, the future of third-party cookies appears bleak.

A continued focus on testing, refining, and optimising their data and tech strategies is essential for brands. Data Clean Rooms, Data Cloud Solutions, and Customer Data Platforms are gaining traction as critical components of the post-cookie advertising ecosystem. While these solutions offer valuable capabilities, they alone, individually or collectively, are not a silver bullet and would be a sum of the parts.

To effectively measure and optimise media campaigns in a third-party cookie-less future, brands should also be investing in server-side MarTech solutions such as Server-side Tag Management, Server-side Web Analytics, Mobile SDK, Conversion APIs, and, if/where possible, Identity solutions.

However, not all brands are equal. All have varying degrees of first-party data collection, the types of first-party data they can use, and where and how it can be used for media purposes. To unlock the full potential of these solutions, brands must prioritise transparency and offer greater value exchanges to consumers. By encouraging consumers to share their first-party data, brands can gain deeper insights, improve measurement, and deliver more personalised experiences.”

Drew Firment, Vice President of Enterprise Strategies at Pluralsight

“AI-driven cloud operations (AIOps) are transforming how businesses optimise cloud computing costs, resource allocation, and threat detection. However, as cloud providers integrate increasingly data-hungry AI services into their offerings, Data Privacy Week serves as a timely reminder for businesses to prioritise safeguarding data in cloud environments – especially when integrating AI.

Cloud security remains the biggest challenge for organisations, largely due to skills gaps, especially as the threat landscape continues to evolve with data theft and ransomware tactics becoming more advanced.

While it’s tempting to blame security failures on cloud providers, most data breaches come from customers. The most common causes of breaches include unrestricted outbound access, neglected cloud infrastructure, and disabled logging, and underscore the need for better cloud security practices.

Increasing investment in cloud security training for both developers and operations teams is essential to address these vulnerabilities and build a more secure foundation for AI-powered cloud solutions.”

David Higgins, Senior Director, Field Technology Office, CyberArk 

“In light of the slew of cyberattacks that continue to compromise customer data, it is evident that more needs to be done to protect data. According to a recent survey from CyberArk, 75% of Britons are confident that all of the websites, apps, and digital services they use have enough measures in place. But is this trust misplaced?

“It’s essential that business and cyber leaders continue to prioritise proactive measures to safeguard data privacy as the challenges ahead are formidable. The ever-expanding volumes of data, rapid advancements in technologies like AI, and of course increasingly sophisticated threat actors demand unwavering focus and action. A key part of this effort lies in strengthening identity security, ensuring that access to sensitive data is tightly controlled and monitored.

This year’s theme for Data Privacy Day “Take Control of your Data” is also a powerful reminder that every individual has a role to play in protecting privacy. True control requires action, vigilance, and collaboration from all of us.”

Nick Walker, Regional Director at NetSPI 

Privacy regulations such as GDPR, HIPAA, FERPA, and CPRA have long served as critical pillars in protecting sensitive personal and organisational data, ensuring it does not fall into the wrong hands. These frameworks establish standards for data collection, storage, and sharing, fostering trust between businesses and individuals. However, as the cyber threat landscape becomes increasingly sophisticated, the conversation in 2025 and beyond must extend beyond compliance toward bolstering operational resilience.”

For financial organisations, the newly effective Digital Operational Resilience Act (DORA) brings a new focus on strengthening defences. While maintaining compliance with privacy standards remains crucial, DORA emphasises the need for more robust measures such as red teaming strategies. These strategies simulate adversarial tactics, helping enterprises test their defences against increasingly complex threats.

The continued evolution of social engineering techniques like phishing and deepfakes exposes vulnerabilities, often bypassing privacy protections by exploiting human trust. This highlights the critical need for robust security education, particularly as what used to be considered simple and primitive approaches to attack become increasingly driven by technological innovations like AI.

Continuous penetration testing and red team exercises are essential to ensure data privacy safeguards remain effective, addressing existing issues and uncovering new vulnerabilities from hardware updates, software changes, or evolving configurations.”

Patrick Harding, Chief Product Architect at Ping Identity

“Data Privacy Week serves as a crucial moment to reflect on the evolving digital security landscape and the pressing need to prioritise privacy in our interconnected world. With 87% of consumers expressing high or moderate concern about identity theft or fraud—a staggering 24% increase from 2023—it’s clear that confidence in the digital ecosystem is eroding. This growing apprehension highlights the urgent need for businesses to protect personal information and restore trust in online interactions.

“At the core of consumer expectations lies a strong demand for security, with 78% citing it as their top concern regarding digital experiences. Security and privacy are no longer just technical requirements—they are fundamental to building customer trust and loyalty. Without robust measures to safeguard data, businesses risk not only reputational damage but also the erosion of consumer confidence.

“Decentralised identity management offers a transformative solution to this challenge. By empowering individuals to control their data and reducing reliance on centralised repositories, it minimises the attack surface for cybercriminals while enhancing user privacy. As businesses embrace privacy-by-design principles, decentralised identity should play a pivotal role in their strategies. By committing to these principles, organisations can build lasting trust and establish themselves as leaders in the era of digital privacy.”

Aileen Cronin, SVP and Chief Privacy Officer at F5

“Fundamentally, Artificial Intelligence is data intelligence. That is why data privacy and, more broadly, the ethical use of data, must remain at the forefront of the AI revolution. It is also crucial that organisations around the world continually look beyond regulatory demands to anticipate and exceed consumers’ data usage expectations.

This should include transparency on data management practices, intentionally embracing ‘privacy-by-design’ principles at every possible juncture, as well as minimising data collection based on consumer choice.”

Mark Beare, GM Consumer at Malwarebytes

“As parents, we can’t shield our children from every danger lurking online, but we can equip them with the tools to protect themselves. By teaching them about data privacy, setting strong security measures, and being mindful of what we share, we can help safeguard them from the potentially devastating consequences of identity theft.

A decade ago, I never could have imagined how deeply intertwined our lives — and data — would become with technology. Back then, Twitter was a place to share lunch updates, Facebook got family photos, and TikTok wasn’t even around yet. Today, every post, photo, and detail we share online is a potential data point that could one day fall into the hands of cybercriminals.

On Data Privacy Day 2025, I’m asking all parents to take a concrete step toward securing your children’s future. Today, update the privacy settings on all your social media profiles, ensuring they are visible only to trusted friends and followers. Tomorrow, freeze your child’s credit to protect them from future identity theft. And moving forward, think carefully before sharing their faces or personal details online. The full impact of the AI revolution is still unfolding, and we must be cautious not to enable technologies like deepfakes to exploit our children’s identities.”

Advice:

• Make sure your social media accounts are set to private. You’ve likely shared photos and info about your family over the years. Make sure your accounts are locked down.

• Freeze your child’s credit: You need to do this at all three major credit bureaus (Equifax, Experian, and Transunion), and it’s free to do. Freezing restricts access to your child’s credit report, and means fraudsters cannot use your child’s identity to get credit.

• Use fake data wherever you can: In some places, like medical facilities, you do need to use your child’s real data. But whenever you’re signing up for something less official, try using dummy data.

• Review privacy settings on apps your kids use: Keep things as private as you can. For example, don’t use their photo for profile pictures, remove statuses that let others know when they’re online, set as much as possible to “private,” and give the least amount of personally identifiable information (eg. home address, phone number, etc.) as you can.

• Keep your devices updated and use security software: Infostealers are a type of malware that steal data from your device. This data can then be sold on the dark web to identity thieves.

• Talk to your kids about digital safety: Make sure they know how to set strong passwords, what dangers to look out for online, and how to stay safe.

• Set up identity monitoring: This alerts you if you or your family’s information is being traded online, and helps you recover afterwards.

Anthony Cusimano, Director of Technical Marketing at Object First

“I think it’s safe to say that NIS2 in Europe was a significant first step that will push many non-EU member states to think more about their own data privacy. With the number of breaches, leaks, and information dumps readily available for download from the various PasteBins of the net and the sheer amount of spam emails and calls I’m receiving daily, something has to change. We should absolutely expect US states to continue to enact or tighten their data privacy requirements and enforcements as the issue continues to spread due to the threat of bad actors and customers taking data privacy more seriously.

However, on the personal side, the average tech user is becoming less concerned about data privacy. We see this very clearly on every social media platform, where folks are too willing to share their most personal information in the public square for anyone to see: birthdays, addresses, medical records, and credit card statements. People are getting bolder and bolder when it comes to sharing things they shouldn’t for the sake of a few imaginary internet points, which concerns me.

While businesses should always be at the forefront of data privacy and security, we see how often breaches occur, and this should spurn outrage, but that doesn’t mean much if a large number of digital citizens are giving it all away for free and creating more opportunities for bad actors to use their information to do more harm.

It’s a challenging problem to solve, and I don’t think there are many reasonable solutions beyond sharing the concern and educating our friends and family about the importance of securing their data and holding businesses accountable for doing the same otherwise the issues we deal with today will only get worse.”