Safeguarding Data in the Digital Age: Insights from Atos’s Global Data Protection Experts
As the world celebrates Data Protection Day on January 28, 2026, the importance of safeguarding personal data has never been more urgent — especially in an era where artificial intelligence (AI) increasingly drives decision-making, personalization and automation. AI systems rely on vast amounts of data, making privacy protection and responsible data handling essential to maintain trust and compliance. However, this is easier said than done, especially when almost all our personal details are readily available online, either willingly or unintentionally.
Atos is a global digital transformation leader and one of the foremost voices of data protection and sovereignty. In this interaction with our experts — Cecilia Fernandez Arredondo, Head of Data Protection, Group DPO, Pierre LOIR, Global Data Protection Legal Expert, and Yann Dietrich, Global head of Legal AI, Data & IP — we explore how organizations can safely harness technology while protecting sensitive client and end-user data, implementing robust privacy safeguards, and ensuring ethical and compliant use of information in an AI-driven world.
What are the top challenges faced by organizations in complying with data protection laws on a global scale?
Cecilia
First, harmonization across jurisdictions. Regulatory requirements vary significantly across regions (EU, UK, US, and APAC). This constant evolution materially increases compliance complexity for global organizations.
Second, cross‑border data transfers. Ensuring lawful international data flows — particularly from the EU to non‑adequate jurisdictions — remains a persistent challenge. Mechanisms such as Binding Corporate Rules must be robust, continuously reviewed, and aligned with evolving legal interpretations and regulatory expectations.
Pierre
A key challenge is avoiding compliance by paperwork alone. It is easy to get lost in policies, contracts, and audits, and lose sight of the real objective: protecting the data of our employees, customers, and partners. Documentation is essential, but it is not sufficient. Compliance must be designed into systems and practices through strong privacy and security principles then supported by the right evidence — not the other way around.
Yann
Firstly, data protection is no longer a silo. Organizations now operate within a dense and interconnected regulatory landscape — EU AI Act, Digital Service Act (DSA), Digital Markets Act (DMA), Data Act, NIS2, Cyber Resilience Act, and more.
These frameworks cannot be addressed in isolation; they must be understood and managed holistically.
Secondly, risk-based prioritization is essential. Applying the same level of control everywhere dilutes impact and wastes resources. A risk-based approach focuses governance where it matters most — on the highest risk activities — while applying proportionate measures elsewhere. This ensures sensitive use cases receive the right level of oversight, clarifies where compliance risks truly sit, and avoids overengineering low risk areas.
How does Atos ensure personal data shared by our clients is collected, processed, and stored in compliance with applicable data protection laws?
Cecilia
Atos ensures global data protection through a consistent, group-wide framework. EU and UK Binding Corporate Rules, approved by the CNIL and the ICO, set uniform standards for how personal data is collected, processed, and protected across all Atos entities worldwide.
This framework is reinforced by global policies, strong technical safeguards such as encryption and access controls, and robust contractual protections with partners and suppliers.
A risk based approach — including impact assessments and incident management — allows Atos to focus controls where risks are highest, ensuring effective protection while supporting business operations globally.
Pierre
Atos has prioritized data protection long before the GDPR became the global benchmark. This early commitment has shaped a distinctive and consistent approach to privacy worldwide.
Today, Atos relies on a dedicated global data protection organization, combining local expertise with strong central governance. This model ensures privacy requirements are tailored to local laws while consistently aligned with EU standards, delivering high and uniform levels of protection across all regions.
Yann
We are also looking at a unified compliance framework across the organization that treats data privacy as foundational but embedded within the wider ecosystem of technology regulations.
Rather than managing privacy obligations in isolation, we recognize that data protection, AI governance, cybersecurity, and other regulations are interconnected, with each one influencing system design, risk allocation, and operational controls.
What are some of the steps taken to educate employees about individual responsibilities regarding data privacy and data security?
Cecilia
At Atos, data protection goes beyond mandatory training. A global program builds the foundation, reinforced by role-specific learning, practical cases, and real-life simulations. Continuous awareness efforts keep teams informed on evolving regulations, including AI and data protection. With privacy built into daily operations and supported by a global network of experts, Atos ensures privacy is understood, applied, and sustained across the organization.
Pierre
Security awareness is a critical pillar of data protection. In today’s digital environment, protecting personal data — as required by GDPR Article 32 — depends not only on technology, but also on people. Even the most advanced safeguards are ineffective if basic security practices are not understood or applied.
That is why Atos works closely with its security teams to promote strong, shared awareness of both privacy and cybersecurity. By combining technical protection with employee education, such as recognizing phishing attempts or handling data securely, we help ensure personal data is protected in practice, not just in theory.
What advice would you give to employees and management to foster a culture of data protection in the workplace?
Cecilia
My advice to both employees and leaders is simple: pause and think whenever personal data is involved. Ask whether the data is truly necessary, how its use can be minimized, and what safeguards are needed to protect it throughout its lifecycle.
A strong data protection culture is not built on rules alone. It is shaped by everyday behaviors: asking the right questions early, raising concerns, and making privacy conscious choices as part of normal work.
Ultimately, data protection works best when safeguarding personal data becomes a shared reflex across the organization, not just a compliance obligation.
How can organizations ensure a seamless integration of innovation and emerging technologies with privacy risks and regulatory requirements?
Yann
What is increasingly essential is a holistic, “by design” integration of technology regulations into the development lifecycle. Data protection, cybersecurity, AI governance, and digital regulation can no longer be treated as separate compliance exercises addressed at the end of a project.
Instead, regulatory requirements must be embedded from the outset — into product design, system architecture, procurement choices, and delivery processes. When compliance is built in early, it becomes seamless. Controls are applied where they are most effective, risks are addressed proactively, and innovation can move faster with greater confidence.
This integrated approach not only reduces complexity and rework, but also ensures legal, ethical, and security considerations evolve in step with technology. Ultimately, compliance by design transforms regulation from a constraint into a foundation for trust, resilience, and sustainable digital innovation.
Posted 28/01/26
Cecilia Fernandez Arredondo
Head of Data Protection, Group DPO
View detailsof Cecilia Fernandez Arredondo >
Categories
Related posts
Dive Deeper
