Reframing Security Around People, Dignity, and Trust
Each year, Data Privacy Week and Data Protection Day invite organizations and individuals alike to reflect on how personal data is collected, processed, protected, and governed. These moments are more than symbolic. They are reminders that privacy and data protection are not merely regulatory obligations or technical challenges they are deeply human concerns, tied to dignity, autonomy, trust, and well-being.
Yet despite decades of progress in privacy law, security controls, and compliance frameworks, data breaches, misuse, and erosion of trust continue at scale. This persistent gap between intention and outcome raises a critical question:
Are we designing data protection systems for people—or merely around them?
A growing body of interdisciplinary research suggests that the answer lies not in more technology alone, but in a human-centric approach to security and privacy—one that recognizes people as central stakeholders, not peripheral risks.
Beyond Compliance: Why Human-Centric Data Protection Matters
Traditional approaches to data protection have largely been shaped by compliance-driven and technology-first paradigms. Frameworks such as GDPR, PIPEDA, and sectoral privacy laws have undeniably strengthened accountability, transparency, and individual rights. However, compliance does not automatically translate into meaningful protection.
Human-centered cybersecurity research highlights a recurring issue: systems may be legally compliant and technically sound, yet still fail users due to complexity, poor usability, misaligned incentives, or unrealistic assumptions about human behaviour (Gerber et al., 2023).
When privacy notices are unreadable, consent mechanisms manipulative, or security controls unusable, individuals are effectively excluded from their own protection. In these moments, data protection becomes performative rather than protective.
A human-centric lens reframes the goal of privacy and data protection from checking boxes to preventing harm.
The Human Dimension of Privacy Risk
Privacy risk is often discussed in abstract terms records exposed, accounts compromised, systems infiltrated. But for individuals, privacy harms are deeply personal and enduring. Research consistently shows that data breaches and misuse can lead to:
Laidlaw and Martin-Bariteau (2025) argue that cybersecurity must be understood not only as the protection of information, but as the protection of the self. When personal data is compromised, it is not merely data that is exposed—it is identity, context, and lived experience.
This perspective aligns with human-centric privacy scholarship, which emphasizes that privacy is not a static asset but a dynamic, contextual, and relational process shaped by social norms, power structures, and individual expectations (Marky, 2023).
Human-Centered Design: Making Privacy Usable
One of the most practical contributions of human-centric research lies in human-centered design (HCD) for security and privacy. Rather than expecting users to adapt to systems, HCD adapts systems to real human needs, capabilities, and constraints.
Groen et al. (2023) demonstrate that usable privacy and security emerge when design processes incorporate:
When privacy controls are intuitive, transparent, and aligned with user goals, individuals are more likely to engage meaningfully with data protection mechanisms, not because they are forced to, but because they are empowered to.
In this sense, usability is not a “nice to have.” It is a security requirement.
From “Human Error” to Systemic Responsibility
A persistent myth in cybersecurity is that people are the “weakest link.” This narrative oversimplifies reality and shifts responsibility away from systems, organizations, and design choices.
Human-centric research challenges this framing by showing that many so-called “errors” are predictable outcomes of poorly designed environments. Dark patterns, excessive complexity, alert fatigue, and ambiguous interfaces all increase the likelihood of unsafe behaviour.
Rather than blaming individuals, a human-centric approach asks:
This shift is especially relevant in data protection, where consent fatigue, unclear data flows, and asymmetrical power relationships leave individuals with little meaningful choice.
Human-Centred Privacy as a Research and Practice Imperative
Human-centric security and privacy is not only a design philosophy or organizational practice; it is also a growing interdisciplinary research agenda. In their influential contribution to the evolution of the field, Renaud and Flowerday (2017), building on the foundations laid by Sasse, Brostoff, and Weirich, argue that human-centred security and privacy research must mature beyond its early focus on usability toward deeper, contextual understandings of how security and privacy are experienced, shaped, and sustained in real-world settings.
The authors caution that focusing solely on making security “easier to use” risks obscuring deeper structural issues, such as asymmetries of power between individuals and institutions, opaque data ecosystems, and the social consequences of surveillance-driven technologies. From this perspective, privacy failures are rarely the result of individual misunderstanding alone; they are often embedded in systemic design choices, governance models, and economic incentives that prioritize efficiency or control over human values.
Importantly, the paper calls for future human-centred security and privacy efforts to adopt longitudinal and contextual approaches, recognizing that privacy expectations, trust, and risk perception evolve over time. This insight is particularly relevant in the context of Data Privacy Week, as it reminds us that one-time notices, static consent mechanisms, or annual training initiatives are insufficient to address the dynamic nature of privacy in real-world settings (Renaud & Flowerday, 2017).
By framing privacy as a lived, ongoing experience rather than a one-off transaction, human-centred research reinforces the need to design data protection systems that adapt to human realities: shifting roles, changing technologies, and evolving social norms.
Privacy as a Foundation of Trust
Trust is often cited as a business value, but rarely treated as a design principle. Human-centric data protection reframes trust as something earned through consistent, respectful, and transparent practices.
Studies on human-centered cybersecurity emphasize that trust is strengthened when individuals:
Conversely, repeated breaches, opaque practices, and dismissive responses to harm erode trust not only in organizations, but in digital systems more broadly.
During Data Privacy Week, this connection between privacy and trust deserves renewed attention. Trust cannot be mandated by policy alone; it must be cultivated through human-aware design and governance.
Human-centred security and privacy research further emphasizes that trust cannot be engineered through interface design or policy language alone. Renaud & Flowerday (2017) argue that trust emerges through ongoing relationships between people, technologies, and institutions, shaped by transparency, accountability, and perceived fairness. When privacy controls are introduced without meaningful explanation or when individuals lack visibility into how decisions are made about their data, trust deteriorates, even if formal safeguards are in place.
This perspective reinforces the idea that data protection is not merely about preventing breaches, but about sustaining legitimate, trustworthy digital environments in which individuals feel respected and heard. Trust, in this sense, becomes both an outcome and a prerequisite of effective human-centric data protection.
The Security of Self: A New Paradigm for Data Protection
The concept of “security of self” offers a compelling framework for advancing human-centric data protection. Rather than centering security exclusively on systems or assets, it positions people as the primary object of protection.
This paradigm encourages policymakers, practitioners, and organizations to ask:
By aligning data protection with human rights, autonomy, and well-being, security of self bridges the gap between technical safeguards and lived experience.
Why Data Privacy Week Matters More Than Ever
In an era of AI-driven analytics, pervasive surveillance, and data-hungry ecosystems, the stakes of data protection have never been higher. Data Privacy Week and Data Protection Day are not just awareness campaigns; they are opportunities to amend our approach.
A human-centric perspective reminds us that:
As we mark this week, the challenge before us is clear: to move beyond treating people as variables in risk equations and instead recognize them as participants, rights-holders, and partners in data protection.
Looking Ahead: From Awareness to Action
Human-centric data protection is not a rejection of technology, law, or compliance, it is an evolution of them. It calls for interdisciplinary collaboration, humility in design, and a willingness to listen to those most affected by privacy failures.
As human-centred security and privacy scholars have noted, advancing this shift will require sustained interdisciplinary collaboration bringing together cybersecurity, privacy law, psychology, ethics, sociology, and design to ensure that data protection frameworks reflect the full complexity of human experience rather than simplified models of user behaviour (Renaud & Flowerday, 2017).
As professionals committed to data protection, cybersecurity, and trust, we must ask ourselves:
Are our systems designed to protect data—or to protect people?
The answer to that question will define the future of privacy.
References
Gerber, N., Stöver, A., & Marky, K. (Eds.). (2023). Human factors in privacy research. Springer. https://doi.org/10.1007/978-3-031-28643-8
Groen, E. C., Feth, D., Polst, S., Tolsdorf, J., Wiefling, S., Lo Iacono, L., & Schmitt, H. (2023). Achieving usable security and privacy through human-centered design. In N. Gerber, A. Stöver, & K. Marky (Eds.), Human factors in privacy research (pp. 83–114). Springer. https://doi.org/10.1007/978-3-031-28643-8_5
Laidlaw, E. B., & Martin-Bariteau, F. (Eds.). (2025). The security of self: A human-centric approach to cybersecurity. University of Ottawa Press. https://www.uottawa.ca/research-innovation/centre-law-technology-society/security-of-self
Marky, K. (2023). Data collection is not mostly harmless: An introduction to privacy theories and basics. In Human factors in privacy research (pp. 3–28). Springer. https://link.springer.com/chapter/10.1007/978-3-031-28643-8_1
Renaud, K., & Flowerday, S. (2017). Contemplating human-centred security & privacy research: Suggesting future directions. Journal of Information Security and Applications, 34, 76–81. https://doi.org/10.1016/j.jisa.2017.05.006
You can connect with Ishmael here.