Data Protection Day is observed every year on 28 January, marking the date on which the Council of Europe adopted Convention 108, the first international treaty on data protection. The purpose of the day is not to overwhelm people with legal jargon, but to help data protection and data security become part of everyday awareness – so that citizens can make informed decisions about their personal data and their digital behaviour.
Data protection in everyday life
In the digital space, it is virtually impossible to exist without leaving traces behind. Every search, every post, every location signal is a small piece of a mosaic. Taken together, these fragments can paint a surprisingly accurate picture of who we are. We reveal not only what we like, but where we go, who we are connected to, when we are reachable, and what we truly value.
Depending on our personal settings, this information may become accessible to service providers, advertising companies, public authorities, or, in less fortunate cases, to data criminals. This is why data protection is not merely a private concern; it is a matter of public interest. It is no exaggeration to say that digital self‑defence has become a basic survival skill.
Data protection in the European Union and Hungary
Within the European Union, the protection of personal data is governed by several interconnected legal instruments. The Charter of Fundamental Rights of the European Union recognises the right to respect for private life and the protection of personal data, while the European Convention on Human Rights reinforces this through the right to respect for private and family life.
These principles form the foundation of the Council of Europe’s Convention 108 on data protection. Its modernised successor, Convention 108+, aims to respond more effectively to contemporary technological challenges, although it has not yet entered into full force, as it requires ratification by a sufficient number of member states.
The rapid expansion of the digital world made it clear that a more detailed and robust framework was needed. This led to the adoption of the General Data Protection Regulation (GDPR), which is now considered one of the strictest data protection regimes globally.
It is worth clarifying a common misconception at this point. The GDPR does not state that all data processing must be based on consent. In reality, it recognises several lawful bases, such as the performance of a contract, compliance with a legal obligation, or legitimate interest. At the same time, individuals enjoy extensive rights over their data, including the right to erasure, the right to restrict processing, and the right of access to information about how their data is handled. Importantly, everyone has the right to know what happens if a data protection incident occurs at the organisation processing their data.
When data protection becomes personal
Whenever you log in to a social media platform, share a photo, or make an online purchase, you are not only revealing information about yourself. Your data often contains references to your family members, your employer, or your wider network of contacts. The idea that “I have nothing to hide” is, in many cases, a form of self‑deception. Data attackers rarely rely on a single source; instead, they assemble a complete picture from many small, seemingly insignificant details.
This is precisely why conscious digital behaviour matters. You do not need to disappear from the internet, but it is worth pausing from time to time and asking yourself what data you share, where, and with whom.
What types of data protection threats might you encounter?
Among the most common threats are phishing and social engineering attacks. These rely on deception: the attacker poses as a bank, a delivery company, or a public authority, creates a sense of urgency, and directs the victim to a website that looks almost identical to the legitimate one. If the warning signs are missed, personal data is often handed over voluntarily to people who should never have access to it.
Equally insidious are malware programmes, which often arrive disguised as harmless downloads. Once installed, they may record keystrokes, collect sensitive information, or even lock an entire device. In ransomware attacks, data is effectively taken hostage, with attackers demanding payment for its release.
Less frequently discussed, but increasingly common, is SIM‑swap fraud. In these cases, attackers impersonate the victim when dealing with a mobile service provider, request a replacement SIM card, and then gain access to messages and authentication codes. From there, they can cause serious damage in a very short time.
And we should not overlook the simplest scenario. A lost or stolen phone or laptop is not primarily worrying because of the cost of replacement, but because of the data stored on the device and the accounts that remain accessible through it.
Additional risk factors in data protection
Beyond classic phishing attempts, brute‑force attacks also pose a real risk. These exploit predictable password habits, often drawing on information found on social media. Using a child’s name, a pet’s name, or a date of birth as a password may feel personal – but it also makes life easier for attackers.
Public Wi‑Fi networks can be equally dangerous, especially if set up specifically to harvest data. In such cases, an unsuspecting user connects to what appears to be a free Wi-Fi hotspot, only to have their data intercepted while they enjoy their coffee.(Wi-phishing)
Even everyday activities like withdrawing cash can carry risks. Devices attached to ATMs may capture card details, a practice commonly known as skimming.
It is also important to remember that a significant proportion of data protection incidents are linked to human error. An email sent to the wrong recipient, a misconfigured system setting, or a momentary lapse in attention can all have serious consequences. When it comes to data security, double‑checking is rarely a bad idea.
What should you do in the event of a data protection incident?
If you suspect that your data has been misused, there is little room for delay. Changing passwords immediately and enabling multi‑factor authentication should be the first steps. Where financial information may be affected, contacting your bank is essential. If identity documents are lost or stolen, a police report is necessary.
It is also important to note that if a data protection incident occurs due to a company’s error, the organisation must notify the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) within 72 hours. Affected individuals have the right to be informed about what happened, which data were involved, and the risks they may face.
A final thought
Data protection and data security are not technical luxuries, nor are they legal obsessions. Digital self‑defence has become as much a part of everyday life as locking your front door before leaving home. The more consciously we handle our personal data, the less likely it is to be turned into a weapon in someone else’s hands.
