From Policy to Proof: The New Reality of Data Privacy
This week marks Data Privacy Week, with Data Privacy Day observed yesterday, January 28—a date chosen to commemorate the signing of Convention 108 in 1981, the Council of Europe treaty widely recognized as the first legally binding international instrument dedicated to data protection. The milestone laid the groundwork for modern privacy regulation by formalizing the idea that personal data requires structured legal safeguards, not just technical protection. More than four decades later, the conversation has shifted from basic compliance to operational proof, architectural design, and geopolitical control of data. Industry leaders say privacy in 2026 is defined less by policy documents and more by demonstrable controls, resilience, and sovereignty.
Privacy Must Be Provable, Not Just Written
Przemysław Grandos, Head of IT & Compliance at Catalogic Software, argues that many privacy programs still fail a fundamental test: evidence.
“After two decades in banking across InfoSec and AML, I’ve learned a simple rule: if you can’t evidence it, you don’t really have it. Privacy programs fail when they’re built on policies instead of controls and when ‘who has access to what data’ lives in tribal knowledge.”
He points to a core security baseline that increasingly overlaps with privacy: strong identity governance, least-privilege access, encryption by default, and audit trails that can withstand regulatory scrutiny. But he stresses that one dimension remains underestimated—recovery.
“There’s a piece many teams miss: resilience is part of privacy.”
According to Grandos, ransomware incidents often expose this gap. The urgency to restore systems can lead to poor decisions that reintroduce compromised data or weaken safeguards.
“Treat backup and recovery as privacy controls: immutable copies, separation of duties, tight admin access, and routine restore tests. Regulators care about outcomes. Customers care about trust. Both care whether you can contain damage and recover cleanly.”
The message is clear: privacy is judged not only by prevention, but by how well an organization limits harm when prevention fails.
Privacy by Design Means Architectural Decisions
Gal Naor, CEO of StorONE, frames privacy as an engineering discipline that must begin at the platform layer.
“Data Privacy Day is a reminder that privacy is not a feature added after the fact. It is a foundational design decision that must be embedded into the core of every data platform.”
He notes that data now stretches across on-premises systems, multiple clouds, backups, archives, and AI pipelines. In this environment, risk often stems less from a single breach and more from loss of visibility and control.
“In many cases, privacy risk does not stem from external attackers, but from loss of control and unclear security policies across these environments.”
Naor advocates an architectural “privacy-by-design” model in which encryption and protection mechanisms are built into infrastructure choices.
“Organizations need the ability to enforce encryption policies that align with operational requirements, whether encrypting data at the software layer, at the drive level using self-encrypting drives, or both.”
Equally important is flexibility: protection must be strong without crippling data use. When organizations have precise knowledge of data location, protection status, and access rights, privacy becomes enforceable rather than aspirational.
“True data privacy is achieved through architecture, control, and resilience, not promises.”
AI, Sovereignty, and Control of Data Jurisdiction
Yoram Novick, CEO of Zadara, places the privacy discussion in a broader geopolitical and AI-driven context. As AI workloads expand into regulated and sensitive sectors, the key issue is shifting.
“The question is no longer whether organizations should focus more on data privacy, but where and under whose control that data resides.”
He highlights the rise of data sovereignty, digital sovereignty, and sovereign cloud and sovereign AI cloud platforms as central to compliance and national resilience. Traditional public cloud models, he suggests, can create jurisdictional and regulatory exposure.
“Sovereign AI and sovereign AI cloud architectures address these gaps by ensuring that data, models, and operations remain under local jurisdiction, aligned with national regulations, and insulated from foreign access or extraterritorial control.”
At the technical level, Novick emphasizes zero-trust security and identity-centric controls as the operational backbone.
“Identity-aware systems, multi-factor authentication, and continuous verification significantly reduce attack surfaces.”
He also warns that AI itself is a double-edged sword.
“While AI-driven tools can enhance threat detection and operational efficiency, poorly governed AI systems can amplify vulnerabilities and compliance risks.”
For Novick, responsible AI deployment and privacy protection increasingly intersect in sovereign, tightly governed environments.
From Awareness to Accountability
Data Privacy Week began as an awareness initiative, but the priorities outlined by these leaders show how far the discipline has evolved. Privacy now sits at the intersection of identity management, infrastructure design, cyber-resilience, AI governance, and national jurisdiction.
The through line is accountability. Whether through auditable controls, architecture-level encryption, resilient recovery, or sovereign data strategies, organizations are being judged on measurable outcomes. The legacy of Convention 108 is no longer just legal theory—it is operational reality, tested daily in how data is stored, processed, recovered, and controlled.