Privacy Day: 'Nothing to hide, but to protect'

Data Privacy Day was established in 2007 by the Council of Europe with the support of the European Commission. It is an annual event held on January 28, the day the Data Protection Convention was signed in 1981.

The European privacy law (GDPR) aims to better protect citizens' personal data. Data Privacy Day focuses on informing people about their rights under the GDPR and its national predecessors. Companies and organizations are also encouraged to improve their protection of personal data on this day. In the US, the same day is known as Data Privacy Day.

In the Netherlands, concerns mainly revolve around the misuse of identity documents (or copies of them) and organizations that track online search behavior or follow consumers via their mobile phone's Wi-Fi signal. Many people are also unaware of their rights or find it too much of a hassle to exercise them. 

Would you like to know what Awareways can do for your organization?

"But I have nothing to hide" is still a common response, as Wolfsen described at a previous Data Privacy Day in his blog on the AP website. He suggested asking those people for their personal medical records, financial data, and "a few passwords too," which often silences them.

"With the still-rising number of privacy complaints to the Dutch Data Protection Authority, I get the sense that we are becoming more frugal with sharing our personal data," Wolfsen writes.

"But the crux of privacy is that, if you look at it superficially, it's so easy to ignore the dangers. It's simply more fun to focus on the convenience you get in exchange for your personal data. But don't mistake the data wolf for a sheep."

"More and more unauthorized data resale is taking place. Misuse or irresponsible use of personal data can lead to wrong decisions, exclusion of people, and discrimination. So even if you figuratively have nothing to hide, you literally have a lot to protect."

Data trading is one of the Dutch Data Protection Authority's (AP) focal points for the 2020-2023 period, and it remains relevant today. We see this form of "payment" with free apps, for example, where you are asked to provide personal data. This is a risk because, first, the apps are often insufficiently secured to handle that data, and second, the data is often passed on to other parties who want to approach you with their products or services.

One of the biggest risks of leaving your personal data everywhere is identity fraud. The more information you share about yourself, the easier it becomes for others to impersonate you. This can have far-reaching personal consequences, but it also opens the door for fraudsters to gain a foothold within a company through your network. Phishing is still the most common form of social engineering, where "hacking" is usually a minor part of the process. Cybercriminals use all kinds of online information to learn as much as possible about an organization or a specific target within it.

This includes easily accessible information on the company's website, as well as on social media like Facebook and LinkedIn. They look for who the customers and suppliers are, and which banks, financial institutions, accountants, or lawyers are connected to the company. Then, they zoom in on the employee: who is the best person to approach, what is their role, and what is the best "entry point"?

Finally, the more your data is spread, the greater the chance that something will go wrong and your information will end up on the street. It's important to be very aware of everything you leave behind on the internet, especially data you should never just give away, least of all for something trivial like a free game. Always ask yourself if you truly need a certain app and if it's a good idea to provide specific information for it.

Privacy represents personal freedom, the right to decide who gets what information about you, and the desire to live without being constantly monitored. In the context of information security, we primarily talk about personal data and its protection: who has what information and why? This includes all the personal data processed in daily work—information about employees, suppliers, and other business contacts, as well as data about ourselves as consumers.

The GDPR—and since mid-2024, the updated Dutch Information Security Act based on the European NIS2 directive—is designed to ensure this data is better protected. Under this legislation, organizations have serious responsibilities and are strictly audited, with potentially heavy fines as a consequence if rules are not followed. This also includes a focus on providing information: companies and governments must be able to explain in clear language what data they use, while we as consumers are granted more and stronger privacy rights.

Awareways offers a wide range of online training courses for employees of large and small businesses, government agencies, and other organizations. We believe that learning about information security should be engaging, accessible, and should lead to lasting behavioral change. That's why we developed a complete learning experience platform based on the latest insights from fields like psychology, didactics, and gamification, where employees learn to work with information securely: Wave.

Wave is built on micro-learnings that form a security and privacy awareness training tailored to the user. In all our interventions—including Wave—our goal is to offer topics related to information security and privacy per target audience. After all, every employee is a part of the security chain.

For more information, visit awareways.com/train or contact us.