Speak to an Expert Emergency

Data Privacy: Reflecting on 2024 and What to Expect in 2025

With 2024 now firmly behind us, it’s remarkable how quickly the year came and went. As we advance into 2025, now feels like an ideal moment to reflect on the past year and anticipate what lies ahead.

The UK made some significant data protection changes, either proposed or implemented, notably a memorandum signed between the Information Commissioners Office (ICO) and the National Crime Agency (NCA). The aim being to enhance security by reporting cybercrime whilst each organisation’s distinct role is maintained. There have been changes at the ICO, not least a name change to the Information Commission (IC). Additionally, there has been a change in its structures and an increase in its powers, proposed because of its increased responsibilities in relation to the Digital Information Bill and Smart Data Bill, both aimed at driving economic growth, along with proposed fee increases.

A report from the European Commission reveals that since the GDPR came into effect in 2018, enforcement actions have amounted to a staggering €4.2 billion.

The French regulator, CNIL, issued a fine relating to data anonymisation in accordance with the WP29 opinion (05/2014). This is significant, as many organisations claim that data is anonymised but fail to clearly demonstrate what processes they have undertaken to achieve this.

The European Court of Justice (ECJ) and the European Data Protection Board (EDPB) provided further guidance on Legitimate Interest when that is being relied upon.

Further afield data protection legislation has been active with regulations in the US at a state level as well as Saudi Arabia with its KSA Personal Data Protection Law enforced by SDAIA which also provides guidance on AI.

2025 Predictions

Predicting what 2025 will look like for data protection and privacy, without the use of AI it’s always a little challenging with so many variables in play.

The changes proposed under the Data Use and Access Bill (DUAB) regarding the use of automated decision-making will undoubtedly create opportunities for greater use of technologies that rely on these processes. However, this is likely to be accompanied by increased concerns from consumers and individuals.

The new guidance on data transfers will need careful consideration, along with whether the new US administration will have an impact on the sustainability of the current EU-US framework. Regarding data transfers, the June review of DUAB could potentially impact the UK’s adequacy status; however, it seems unlikely that this will be negatively affected.

Another requirement under DUAB is the need to have a formal complaints procedure with reporting on the number of complaints to the IC.

Under the UK’s PECR (Cookie Directive) the fining structure will increase in line with the GDPR. This may influence companies’ digital marketing risk appetite leading to change.

Organisations of all sizes, from global blue-chip and large corporate enterprises to micro-one-person companies, are increasingly adopting AI systems.  This is often without even realising they have implemented AI applications.

This article focuses on how organisations can start preparing to manage AI tools effectively, rather than exploring the EU AI Act or the AI Liability Directive. AI adoption will accelerate during 2025, bringing significant opportunities for efficiencies and innovation. However, AI is not a new concept, and many organisations may already be using it in various departments.

Data protection is a multidisciplinary function that requires an understanding of law, information security, risk management, and ethics. The increasing use of AI will further emphasise the need for these skills, as well as a strong understanding of intellectual property (IP) and product liability. To adapt, data protection teams will need to foster greater collaboration internally and seek external expertise, including support from specialist training providers.

AI regulation varies significantly across jurisdictions. The UK and US are adopting relatively unregulated approaches, while the EU has implemented a comprehensive regulatory framework. Organisations will need to determine the most appropriate standards to adopt, particularly given the challenges of navigating overlapping regulatory requirements when working with multiple vendors or developing new products.

Data security also demands particular attention, especially with emerging risks such as poisoned training data, which can lead to inaccurate AI outcomes. For organisations developing or using digital products, the Cyber Resilience Act (CRA) may also become an important consideration.

Conclusion

Opportunities for organisations are currently significant which is exciting, however, the increase and changes to the regulatory landscape will create management challenges. Digital marketing is a complex area for organisations as it often requires the use of personal data and profiling, in fact as organisations revisit their use of data and AI systems the potential clash between principals of data protection, minimisation, purpose limitation and transparency will need to be very carefully navigated.

It is the responsibility of senior leadership and management to integrate data protection functions into business operations. Data protection functions must provide elegant solutions to the ever-increasing and complex landscape they face; they must go beyond compliance.

Key Takeaways for 2025

  • Understand your organisation’s current data protection position
  • Build a robust data protection framework that can adapt to change
  • Determine your organisation’s approach to AI use and adoption
  • Train relevant stakeholders to understand the new landscape


To discuss further, including your specific concerns and challenges, please reach out to our friendly team here.

Share this Article:

Related Articles

Speak to an Expert

Call us on +44 (0) 203 393 7795

We value what our customers think of us

Get The Latest Industry News

We’ll keep you informed about potential risks and vulnerabilities that could impact your digital assets.