28th January is Data Protection Day! It serves as a reminder for organisations to reflect on their responsibility in handling personal data. On the anniversary of Convention 108, the first international treaty on data privacy, adopted in 1981, Data Protection Day highlights the importance of compliance with evolving data protection laws. It’s an opportunity to revisit data governance practices, review compliance measures and strengthen data security to manage legal risks and reinforce customer trust.
So, what can we expect in 2025?
First, in the pipeline we have the Data (Use and Access) Bill 2024-25 (DUA Bill) which proposes a number of reforms to the UK’s data protection framework. It could lead to some divergence from the EU’s GDPR, causing potential compliance challenges for businesses operating across both regions. It could also call into question the UK’s “adequacy” status, which currently allows free flow of data from the EU. For more information, see here.
Preparation for the EU’s AI Act will ramp up. The AI Act came into force on 1 August 2024. While most of its provisions do not take effect until August 2026, some provisions start in 2025. For example, “prohibited” AI (such as AI that deploys subliminal techniques or purposefully manipulative or deceptive techniques) will be banned from 2 February 2025. In the UK, the government proposes to introduce legislation targeted at “frontier” AI (the most advanced AI models). Aside from this, the government continues to encourage regulators to develop their own sector-specific guidance. As such, the UK’s light-touch approach contrasts with the EU’s more prescriptive regime, again, leaving businesses to navigate two distinct sets of rules.
As if the regime for international transfers of data was not complicated enough, the EU has announced plans to introduce additional standard contractual clauses (SCCs) to cover transfers of data to controllers and processors in third countries where the data importer is directly subject to the GDPR. They will complement the existing SCCs, for data transfers to third country importers not subject to the GDPR. Meanwhile, in June 2025, the EU will review its adequacy decision for the UK. While renewal is likely, it will depend on how the proposed DUA Bill aligns with EU expectations.
The UK ICO will intensify its enforcement actions in 2025. As part of its online tracking strategy, the ICO has announced plans to ensure compliance across the UK’s top 1,000 websites. This will also include a focus on online advertising, aiming to give individuals greater control over how their personal information is used. Once the DUA Bill becomes law, the ICO will also have the authority to impose GDPR-level fines for breaches of the privacy regulations, including cookie use and digital marketing. Reviewing your website, cookies and e-marketing compliance should therefore be a priority for 2025.
The intersection of ESG (Environmental, Social, and Governance) reporting and data protection will continue to be prominent in 2025, as organisations are increasingly expected to demonstrate ethical data practices. Diversity monitoring, in particular, presents challenges for businesses seeking to collect and process special category data from workers while ensuring compliance with strict data protection laws.
With ransomware attacks and personal data breaches becoming more frequent and sophisticated, businesses face increasing pressure to enhance their security measures or face potential substantial fines. Both the UK and EU are prioritising accountability, making swift reporting, detailed impact assessments, and proactive mitigation strategies essential for regulatory compliance.
