Data Privacy Day spotlight on control, resilience, design
Security and data management leaders are placing renewed focus on the structural underpinnings of privacy programmes, as organisations prepare for Data Privacy Day against a backdrop of rising regulatory scrutiny and complex hybrid IT estates.
Industry executives say many companies still treat privacy as a matter of written policies or bolt-on tools. They argue that regulators and customers now expect verifiable controls, resilient architecture and demonstrable recovery processes instead.
Controls over policies
Privacy and security practitioners with financial services backgrounds warn that documentation alone does not satisfy either regulators or attackers. They say organisations often underestimate the gap between stated policies and what happens in production systems when access decisions are made under pressure.
One concern is the continued reliance on informal knowledge about who can access sensitive datasets. In many firms, access maps sit with a small number of long-tenured staff, and are not consistently reflected in identity systems, audit logs or configuration baselines.
Data protection experts say this leaves organisations exposed during investigations after an incident or during regulatory audits. It also complicates internal efforts to trace how data moves between applications, analytics environments, backup infrastructure and third-party services.
In the financial sector, this disconnect has been tested repeatedly by anti-money laundering enforcement and information security reviews, where investigators often demand detailed, time-stamped evidence of access and control decisions.
"After two decades in banking across InfoSec and AML, I've learned a simple rule: if you can't evidence it, you don't really have it. Privacy programs fail when they're built on policies instead of controls and when 'who has access to what data' lives in tribal knowledge.
In 2026, the winning approach is simple: strong identity controls, least privilege, encryption by default, and audit trails that actually stand up to scrutiny. But there's a piece many teams miss: resilience is part of privacy.
When ransomware hits, the pressure to 'just restore something fast' leads to shortcuts, unsafe reintroductions of malware, and bad decisions about paying. Treat backup and recovery as privacy controls: immutable copies, separation of duties, tight admin access, and routine restore tests. Regulators care about outcomes. Customers care about trust. Both care whether you can contain damage and recover cleanly," said Przemysław Grandos, Head of IT & Compliance, Catalogic Software.
Resilience as privacy
Ransomware attacks have shifted many security teams' focus from perimeter defences towards resilience and recovery planning. Industry specialists now increasingly view backup and restore processes as part of privacy governance, not just as business continuity measures.
Immutable backups, isolated recovery environments and stricter separation of duties around administrative access are becoming standard in regulated sectors. Routine restore testing is also gaining attention, as firms seek evidence that they can recover data accurately and without reinfecting systems.
These measures intersect with privacy obligations in several ways. They influence how long personal data persists in backup repositories. They determine whether restored datasets reintroduce previously deleted or corrected records. They also affect reporting timelines and containment outcomes during notifiable incidents.
Regulators in multiple jurisdictions now question firms not only about breach prevention, but also about how they limit the spread of compromised data and restore normal operations without compounding exposure.
Architecture first
Storage and data infrastructure vendors say many organisations still treat privacy as an overlay on top of existing systems, even as data spreads across on-premises, cloud and hybrid environments. They argue that this model struggles in the face of generative AI pipelines, large-scale analytics and extensive backup and archive estates.
Some industry leaders advocate for privacy-by-design approaches at the architectural level. They want data protection and data security patterns embedded directly into the way platforms store, move and process information, rather than handled as separate layers or point products.
Encryption strategy has become a particular focus. Organisations now weigh application-level encryption, software-based encryption at the storage layer and hardware-based encryption in self-encrypting drives. They also review when and where data is encrypted in use, in transit and at rest.
Vendors say enterprises increasingly need the option to apply encryption policies globally or selectively across workloads. They also say these rules must align with performance, latency and operational requirements without undermining privacy outcomes.
"Data Privacy Day is a reminder that privacy is not a feature added after the fact. It is a foundational design decision that must be embedded into the core of every data platform.
For years, organizations focused primarily on preventing breaches. Today, that approach is no longer sufficient. Data now spans on-prem environments, cloud and hybrid deployments, backups, archives, and AI pipelines. In many cases, privacy risk does not stem from external attackers, but from loss of control and unclear security policies across these environments.
A privacy-by-design approach starts at the architectural level, where data protection and data security are integrated rather than treated as separate layers. Organisations need the ability to enforce encryption policies that align with operational requirements, whether encrypting data at the software layer, at the drive level using self-encrypting drives, or both. Just as importantly, encryption must be flexible enough to apply globally or selectively, ensuring strong protection without limiting how data is used.
When organizations know exactly where their data resides, how it is protected, and who can access it, privacy becomes enforceable rather than aspirational. Combined with intelligent data placement strategies and reduced data duplication, this approach limits exposure and reduces the blast radius when incidents occur.
On Data Privacy Day, the message is clear. True data privacy is achieved through architecture, control, and resilience, not promises.
, said Gal Naor, CEO, StorONE.