Privacy Awareness Week: Privacy fundamentals matter, but the context has shifted

Published by David Cleary, Senior Manager, Privacy, Strategy & Consulting, and Katherine Walsh, Senior Consultant, Strategy & Consulting, on May 4 2026

Good privacy still starts with knowing your data. Understanding the data you hold, where it resides, and how it is managed remains a strong foundation, as outlined in our previous blog (Privacy Awareness Week: Knowing Your Data | CyberCX).

What is changing is the context in which data exists. Data is not only accessed by individuals within defined systems, but also through integrations, automated processes, and external services. This can make it more difficult to consistently track and manage access.

Organisations increasingly need to look beyond what data they hold to how it is accessed and used in practice.

Understanding data is only part of the picture

Many organisations have made progress in improving data discovery and classification. These efforts remain important for applying appropriate controls and supporting regulatory compliance.

The next challenge is maintaining a clear view of how access is approved, reviewed, monitored, and removed. Permissions that are appropriate when first granted can become excessive or unclear as roles change, platforms evolve, vendors are onboarded, and business processes shift.

For privacy practices to remain effective, organisations need to understand not only where sensitive personal information is held, but also how it can be accessed.

This is where privacy, data governance, cyber security, and operational risk increasingly intersect.

Not all access is human

People are often described as the weakest link in privacy breaches and inappropriate data access, but they are not the only point of exposure. Some of the more significant risks can emerge from forms of access that are less visible.

Organisations rely on service accounts, system identities, and automated processes to support maintenance activities such as backups and data integrations.

These are commonly referred to as non-human identities, as they enable systems and applications to access data without direct user interaction.

These accounts often require elevated access permissions to function, which means they can access large volumes of data without direct human interaction.

Because this access happens behind the scenes, it may not always be reviewed, controlled, or governed with the same level of attention as privileged user accounts. This can create access to personal information that is not always visible to those responsible for oversight.

As AI and automation become more embedded in business operations, this becomes more relevant. These technologies often rely on non-human identities to interact with data, which can increase both the scale of access and the difficulty of maintaining effective oversight.

Applying consistent access practices to these accounts can help reduce this risk. This includes assigning service accounts to defined functions, reviewing permissions, logging activity, and applying comparable levels of control and governance to those used for privileged user accounts.

Complexity can make visibility harder to maintain

As technology environments become more complex, maintaining a clear and current view of data and access can become more challenging. This includes the use of cloud services, third-party platforms, and emerging AI tools that may operate outside established governance processes.

Gaps in visibility can emerge in ways that are easy to overlook. For example:

• A system integration that is no longer actively reviewed.
• A service account with broader access than intended.
• A team using an AI tool without an accurate view of how data is processed or retained.

Over time, these patterns can make it difficult to maintain a comprehensive view of where personal information is accessible and how it is being used.

In this context, effective privacy practices rely on consistent visibility and oversight across systems, users, and non-human identities.

Privacy is an ongoing capability

Understanding what data is held, and how it is accessed, provides a stronger foundation for managing privacy risk in practice.

As systems, technologies, and ways of working continue to evolve, organisations need to ensure that visibility and oversight of data and access keep pace. This supports consistent application of controls and helps organisations maintain trust in how personal information is managed.

Learn more about Strategy and Consulting services your organisation can benefit from to strengthen privacy maturity and improve your security posture.