![Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/video-ATTCK2-1?wid=530&hei=349&fmt=png-alpha&qlt=95,0&resMode=sharp2&op_usm=3.0,0.3,2,0)
![Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/Edward-Gonam-Qatar-Blog2-1?wid=530&hei=349&fmt=png-alpha&qlt=95,0&resMode=sharp2&op_usm=3.0,0.3,2,0)
January 28 marks Data Protection Day, a date rooted in one of the earliest milestones of the digital age: the anniversary of the 1981 signing of Convention 108, the first legally binding international treaty for data protection. What began as a European initiative has since evolved into a global observance recognized across North America, parts of the Middle East, and beyond.
Each year, Data Protection Day offers an opportunity to reflect not only on legal frameworks and regulatory progress, but on whether our collective understanding of data protection still matches the realities of today’s digital environment.
Those realities have fundamentally changed. As outlined in the CrowdStrike 2025 Global Threat Report and CrowdStrike 2025 Threat Hunting Report, cyber adversaries now operate with unprecedented speed, scale, and sophistication. eCrime groups, state-backed actors, and hacktivists increasingly rely on advanced social engineering, resilient criminal ecosystems, and the systematic abuse of identities. Stolen credentials, access brokerage, and the misuse of legitimate user accounts have become primary pathways to unauthorized access, data theft, and operational disruption. At the same time, the volume and distribution of data have expanded exponentially, driven by cloud and AI adoption, SaaS sprawl, remote work, and data-driven business models.
Data is no longer a static asset protected at the perimeter. It is continuously accessed, replicated, and moved across identities, environments, and third parties. This expansion has fundamentally altered the risk landscape, creating new and compounding vulnerabilities that traditional compliance-centric approaches were never designed to address.
These trends underline a hard truth that has become increasingly difficult to ignore: Legal requirements mandate robust security measures as a foundational element of compliance, and security is critical to resilience. Organizations meeting data protection requirements without scrutinizing evolving security standards may not be compliant at all, as they can still be exposed to operational failure, data loss, or large-scale breaches. Data protection, in practice, lives or dies at the intersection of legal safeguards, technical controls, organizational processes, and real-time operational response.
When Risk Comes from Within
Today’s data protection risks no longer originate solely from external adversaries. They also increasingly emerge from within organizations themselves, whether from insider threats or driven inadvertently by the rapid and often uncontrolled adoption of AI tools. The question is no longer whether organizations should use AI, but whether they can do so in a way that is legally sound, technically secure, and operationally resilient.
As generative AI, autonomous agents, and non-human identities proliferate, they introduce an entirely new attack surface that traditional security and privacy tools were never designed to protect. Prompts can be manipulated, models misused, and sensitive data exposed, often without ever crossing a conventional network boundary.
Generative AI services and large language models like enterprise copilots and publicly available tools are now deeply embedded in daily workflows. Employees may unintentionally input confidential, regulated, or personal data into AI systems, including information that must not be disclosed or reused for model training under data protection law.
This creates a new and pressing challenge for data protection: how to enable innovation and productivity without losing control over sensitive data.
For organizations, this means modern data protection must move beyond reliance on individual user behavior toward resilience by design. Automation, real-time monitoring, and policy enforcement at the interaction layer become essential to preventing failure before it occurs. As AI adoption scales across the enterprise, protecting data, models, and infrastructure is no longer enough. The prompt and agent interaction layer, where decisions are made and actions executed, must also be secured.
CrowdStrike addresses this challenge with Falcon AI Detection and Response (AIDR). This extends the Falcon platform to secure one of the fastest-growing and least understood attack surfaces by monitoring, governing, and defending AI interactions across workforce AI use and AI development. By detecting and preventing prompt injection, jailbreaks, model manipulation, and unauthorized tool execution in real time, Falcon AIDR helps prevent sensitive data from being exposed or misused. Crucially, it aligns security and privacy with operational resilience by enforcing controls at runtime and delivering visibility, auditability, and seamless integration into security operations without disrupting legitimate workflows.
Addressing this new internal risk landscape also requires controls that span identity, endpoints, and the browser. This approach is reflected in CrowdStrike’s recently announced intent to acquire SGNL and Seraphic, which will focus on securing AI-era access decisions and browser-based data exposure.
Moving Beyond the Illusion of Absolute Control
The ongoing debate around data sovereignty and “sovereign cloud” solutions highlights why this challenge cannot be solved by assuming fully localized or on-premises solutions offer the same security outcomes as those delivered by global infrastructure.
CrowdStrike’s Global Data Sovereignty initiative is grounded in the fact that regional data residency must reinforce protection from adversaries, not isolate defenders. At its core, cybersecurity is a data problem. Limiting how security data can be analyzed, correlated, and acted upon reduces visibility, slows response, and can weaken the global threat intelligence required to counter modern adversaries. Data isolation constrains defenders, not adversaries.
By enabling customer-directed data flows and resilient data architectures while preserving unified visibility across environments, CrowdStrike helps security teams correlate signals, apply intelligence, and respond effectively as threats move across systems, allowing cybersecurity to operate at the scale and speed of the adversary.
This approach is guided by secure governance, responsible data handling, and respect for jurisdictional realities. Data is managed lawfully, transparently, and with discipline as AI reshapes how organizations operate. By combining regional data residency with global protection, CrowdStrike stops breaches in a world where attacks do not respect borders.
The conversation needs to shift from data protection as a static compliance exercise to data protection as a core pillar of organizational and cyber resilience. Achieving resilience requires identifying risks, mitigating those risks, and implementing robust means to limit the impact and likelihood of occurrence of such events. Data protection compliance consequently involves an adaptive posture, active defense, and a focus on preventing ever-evolving threats to privacy. This means ensuring legal principles are supported by technologies and governance models capable of withstanding real-world pressure.
Drew Bagley is VP and Counsel, Privacy and Cyber Policy, at CrowdStrike.
Christoph Bausewein is Assistant General Counsel for Data Protection and Policy at CrowdStrike.
Additional Resources
Our Data Protection Day employee checklist can help your organization avoid accidental data leaks.
For more about Falcon AIDR, read this blog post: CrowdStrike Secures Growing AI Attack Surface with Falcon AI Detection and Response
Learn more about the growing risk of data leakage from AI-powered applications in this blog post: Data Leakage: AI’s Plumbing Problem
Check out these Cybersecurity 101 articles about AI: The Role of AI in Cybersecurity, Generative AI (GenAI) in Cybersecurity
Read more about GDPR in these blogs on previous Data Protection Days: Data Protection Day 2025: The Evolving Role of AI in Data Protection, Data Protection Day 2024: As Technology and Threats Evolve, Data Protection Is Paramount, Data Protection Day 2023: Misaligned Policy Priorities Complicate Data Protection Compliance, Data Protection Day 2022: To Protect Privacy, Remember Security, Data Protection Day 2021: Harnessing the Power of Big Data Protection
Keep up-to-date with cybersecurity policy developments in the CrowdStrike Public Policy Resource Center.
Learn more about CrowdStrike’s compliance validations and certifications in the CrowdStrike Trust Center.
