Skip Ribbon Commands
Skip to main content

​Privacy – why it is worth fighting for

​​​​Privacy is a fundamental right recognized in the UN Declaration of Human Rights. Along with the freedom of speech, privacy has been one of the most disputed human rights issues of the digital age.

The technological evolution has happened so rapidly and made many things possible in the ways we communicate, how we analyze data and how we market and procure products across the globe. The benefits have been great, and there is no disputing this.  However, our data privacy control is inversely proportional to the growing strength of our smartphones, which most of us tend to ignore or are unaware of.

“If you have nothing to hide, surveillance shouldn’t be an issue” 

Nothing to hide means not having to worry. This understanding is now commonly heard in the public debate. Some commentators even declare privacy dead in a world where openness and transparency seem to be key drivers in everything we do. Mark Zuckerberg, the founder of Facebook, has stated that “privacy is no longer a social norm” when confronted with this issue.

While we accept insecure processing of our private data every day when using our phones our tablets or when we go to the doctor, few of us would willingly share the password to our personal e-mail-account. We might want to share what we eat on Instagram, but few would happily display their browser history with the same enthusiasm. We still have curtains in our windows at home – not because we want to hide some criminal behavior – but because we actually value our private space. Mark Zuckerberg is no different; he bought the four properties surrounding his house in California, to shield his own family’s privacy.

The point is, that if you know you are being watched, your behavior changes. Brilliant ideas that come of a string of nonsensical, immature ideas are simply less likely to happen under surveillance. Therefore cyber surveillance and cyberattacks are not only serious threats to our national infrastructure, trade secrets and our bank accounts, but also on the more subtle and intangible subjects such as human creativity and vulnerability.

This opacity about the whereabouts and uses of our data and may be a reason why we don’t object to this course. We do not perceive the threat as real.

Is it too late?

Information technology is relatively new, Facebook and smartphones kicked off in 2006. It is no surprise that security was not the developers’ first priority. Security often comes second or later in product development, rarely first.

Just as we today enjoy cars with high security standards in terms of airbags, stronger constructions and less polluting engines, developers of IT are about to meet similar demands for higher security standards in terms of encryption, access management, privacy by design, etc.

Vendors of physical consumer goods are subject to product liability to compensate consumers who suffer losses due to defective products. IT companies must become subject to a similar product liability, should they fail to protect our personal data. Otherwise there is too little incentive for IT-companies to invest in expensive security features.

New EU data Protection regulation

The existing European Data Protection Act from 1995 imposes strict obligations on companies and the public sector to ensure sufficient protection of personal information.

However, most member states have taken a lenient approach regarding non-compliance and many National Data Protection Agencies have had limited resources to audit the security practices of the private and public organizations they are supposed to oversee. For those reasons data processors have struggled to implement privacy in their system designs and offset the costs of implementing the necessary security controls.

The new EU General Data Protection Regulation (GDPR) is likely to become the burning platform that has been missing. It imposes strict requirements on data processor companies and organizations with hefty fines of up to 4% of their yearly global turnover.

The GDPR is expected to be formally approved any time soon (early 2016)[1] followed by a two-year implementation period where organizations must change their way of managing data.

What European businesses must do

The GDPR requires data processors to classify the personal data they’re responsible for, map their data-flows to specific processes, systems and users, and conduct privacy impact assessments based on data’s sensitivity and the vulnerability of their systems.

All identified risks must be mitigated, appropriate technical and organizational controls must be selected, implemented and monitored. It is a complex, continuous effort and most organizations do not know where to start. National Data Protection Agencies will be given the resources necessary for onsite audits beginning in 2018.

An extremely difficult challenge lies ahead of the data processors and is likely to require a lot of effort and to drastically change the way IT systems are designed and operated in the future.

While the tasks before us may appear daunting; it should also be viewed as a welcome opportunity to regain control of our privacy.

[1] The new General Data Protection Regulation (GDPR) was approved by the responsible committee of the parliament in December 2015. The regulation will be presented at a plenary session in the Parliament in the first months of 2016 and in February the head of the governments in the member states is expected to vote on the regulation.


About NNIT Security Insights

NNIT Security Insights is a regular column where prominent NNIT IT security advisors share their thoughts on current and future IT security challenges and how to deal with them.

NNIT has its own Computer Emergency Response Team (CERT). If lightning strikes, we have the necessary competencies in-house to respond and assist. We have also developed a range of services that can help businesses to achieve the right level of security protection to protect the business from financial and reputational damage. 

You are welcome to contact us at if you want to know more about how NNIT can help your business increase its information security level.



Steve Peacock+45 30778428sepc@nnit.comGDPR Consulting Director Peacock



NNIT Security Insights Security Insights
Risky Business? Business?
​Ransomware 101​Ransomware 101
Cybersecurity Awareness – The First Line of Defense​ Awareness – The First Line of Defense​
The Fine Art of Aligning Business Strategy and Information Security Strategy Fine Art of Aligning Business Strategy and Information Security Strategy
​Privacy – why it is worth fighting for​Privacy – why it is worth fighting for
​The C.I.A. of application security!​The C.I.A. of application security!
Migrate to Cloud Services without Jeopardizing Security and Compliance to Cloud Services without Jeopardizing Security and Compliance
​​​Building a sustainable defence: How to secure your operational technology (OT) environment​​​​Building a sustainable defence: How to secure your operational technology (OT) environment​
How to Keep Industrial Computer Systems (ICS/SCADA) Running in an Age of Cybercrime? to Keep Industrial Computer Systems (ICS/SCADA) Running in an Age of Cybercrime?