(Beginner Guide)
Beatrice didn’t think twice about it.
She had just downloaded a new app.
It promised smarter recommendations, faster results, and a more personalised experience powered by AI.
She signed up, entered her details, and clicked:
Accept All.
A few days later, something felt different.
The app seemed to know her preferences almost too well.
It suggested things she hadn’t explicitly searched for.
Even the timing of the recommendations felt… accurate.
She paused for a moment.
How much of my data is this app actually using?
The Question Most People Don’t Ask
In the UK today, AI is part of everyday life.
From:
- shopping apps
- banking systems
- travel platforms
- social media
These systems rely on data to function.
Your data.
But here’s the question many beginners don’t ask:
Is your data actually safe?
What Happens to Your Data When You Use AI
When Beatrice signed up, she shared more than she realised.
Not just her name and email.
But also:
- her behaviour
- her preferences
- how she interacted with the app
- what she clicked and ignored
AI systems use this data to:
- personalise content
- predict behaviour
- improve recommendations
Over time, this builds a detailed profile.
Not just of who she is.
But how she behaves.
This Is Where GDPR Comes In
In the UK, data protection is guided by laws based on the General Data Protection Regulation.
These rules exist to protect people like Beatrice.
In simple terms, GDPR says:
- organisations must be clear about how they use your data
- they must only collect what they need
- they must protect your data
- and they must give you control over it
What GDPR Actually Protects
Beatrice has rights, even if she doesn’t always realise it.
She has the right to:
- know what data is being collected
- access her data
- correct inaccurate information
- request deletion of her data
- object to how her data is used
This means her data is not supposed to be used freely without limits.
There are rules.
But Here’s What Most People Don’t Realise
GDPR doesn’t stop companies from using your data.
It regulates how they use it.
So when Beatrice clicked “Accept All,” she gave consent.
And that changes things.
Because once consent is given:
- data can be processed
- behaviour can be analysed
- AI systems can learn from it
As long as it follows legal guidelines.
The Gap Between Protection and Reality
This is where things become more complex.
Even with GDPR in place:
- privacy policies are often long and unclear
- users rarely read what they agree to
- AI systems can still feel invisible
So while the law provides protection…
Many people don’t fully understand how their data is being used.
A Cybersecurity and GRC Perspective
From a cybersecurity and governance point of view, this raises important questions:
- Are organisations being fully transparent?
- Are users truly informed when they give consent?
- Who is accountable for how AI uses personal data?
Because protecting data is not just about security.
It’s about:
- trust
- responsibility
- ethical use of technology
The Real Question
Beatrice’s data wasn’t stolen.
It wasn’t hacked.
It was used… exactly as she had allowed.
But she didn’t fully understand what she had agreed to.
And that’s where the real risk lies.
On A Final Note
AI is powerful because it learns from data.
And in the UK, GDPR exists to make sure that learning happens responsibly.
But protection doesn’t replace awareness.
Because at the end of the day:
your data may be protected by law
but your choices still shape how it’s used
If you are starting your journey in cybersecurity, this is something worth remembering:
Data privacy is not just about laws
It’s about understanding how your information flows and who controls it
