Your organisation’s data processing practices are likely to have developed and changed in the last few years. In addition, there is always new legislation in the pipeline.

2025 is shaping up to be an important year for your data protection and governance practices, with new legislative changes expected in the UK as the Data (Use and Access) Bill progresses through Parliament, and in Europe different parts of the EU AI Act will enter into force while compliance with the EU NIS2 Directive concerning cybersecurity will continue to be a priority.

Watch our short video on some of the key steps to take and read on to find out what you should consider as your top data protection and governance goals for the year.

1. Get to know your data flows!

The first step in understanding the extent of your data protection compliance risk is understanding what data you hold, where it is stored and how you use it. Understanding this is essential to all other aspects of data protection requirements, as this will feed in to your compliance documentation and practices and is the foundation to information management.

Many organisations carried out data mapping exercises in 2017/18 in the run up to GDPR implementation, but may not have regularly reviewed their data flows since then.  A lot can happen and change in 8 years, so our top data compliance goals for 2025 is getting to know (and understand) your data flows and to refresh your data maps!

2. Get to know your policies

Once you understand the data you hold, why you use it, how it is obtained and who it is shared with, the next step is to understand what data governance practices and documentation you need to have in place.  

Most organisations will, as a minimum, need to have an internal Data Protection Policy and Privacy Notices (both internal and external), and it is usually a good idea to have an Information Security Policy and a Record Retention Policy. Depending on the size and nature of your organisation, you may also need to have specific protocols in place for managing data breaches and data subject access requests.

This documentation should reflect how you process data and manage data protection compliance in practice – so an “off-the-shelf” draft won’t do the trick if it has not been tailored to your organisation. Also consider how these documents are shared or accessed – there is no point in having great policies if no one knows about them!

From a compliance perspective, you should also have a Record of Processing Activities, and have recorded Data Protection Impact Assessments for any high-risk processing and Legitimate Interest Assessments when relying on legitimate interests as your lawful basis for processing.

3. Identify, assess & plug any gaps

Compliance gaps come in all shapes and sizes – for some there may be missing or outdated policies, or supplier contracts with missing data processor clauses or international data transfer assessments and addendum.  Other gap analysis reviews may reveal that information security measures are lacking, or marketing / cookies consents are invalid. Whatever your gaps, 2025 should be the year to understand what they are and to plug them!

4. Establish chain of responsibility 

In the last couple of years, there has been some uncertainty in the UK over the role of data protection officers versus senior responsible individuals as a result of draft legislation proposed by the former UK government. Going into 2025, we know that draft legislation has been abandoned in favour of the new Labour government’s Data (Use and Access) Bill. The new Bill does not propose any changes to the role of data protection officers from the current position in the UK GDPR – so DPOs are here to stay!  

As a result, any organisations that had changed their governance structures in anticipation of a change to senior responsible individuals will have to re-think their strategy going in to 2025.

In the context of a contentious DSAR or significant personal data breach, there needs to be a clear chain of responsibility, with a data protection officer or similar appointee with sufficient authority to make key decisions efficiently and promptly. If there is any uncertainty in your organisation as to who this person is, this should be addressed as a priority in 2025.

5. Prepare for DSARs

Recent trends indicate that data subject access requests, known as DSARs or SARs, are on the rise and will continue to be a burden going in to 2025. The burden is even shared with the ICO, who confirmed in their annual statistics that they received nearly 16,000 complaints about DSARs in the year 2023-24 (for more information, see our previous blog).

Having a clear process for identifying and managing DSARs is key to balancing compliance obligations while keeping resources spent on DSARs to a reasonable level.  Appropriate training and procedures for identifying and escalating DSARs quickly helps reduce time wasted, and adopting appropriate strategies for conducting searches and information reviews can help to increase efficiencies.

6. Prepare for breaches

Personal data breaches and cyber risk continues to be a headline worry for organisations (see our previous blogs), and there is no sign of this changing as we go into 2025.

Cyber risk will continue to pose a threat as the sophistication of threat actors continues to grow, particularly as they increase use of gen AI to gain access to systems and infrastructure.

In addition to cyber threats, it is worth remembering that many personal data breaches are also caused by human error or insider threats.  These types of breaches may be easier to avoid with increased training, testing and monitoring of system usage.

7. Assess website and marketing strategies 

In 2024 we saw the ICO’s first enforcement action following their website review exercise and joint warning with the CMA against harmful online designs (see our previous blog). 

We also saw an increase in the use of “pay or consent” models, forcing users to choose between giving consent to cookies/personalised marketing or having to pay a fee to access online services. The ICO issued a “call for views” on this topic in Spring 2024, and their findings are due to be published imminently.

In addition, fines for breaches of cookies and direct marketing rules are due to increase from £500,000 to £17.5 million/4% annual group global turnover. Given the ICO’s proclivity for issuing fines for non-compliance with these regulations (15 out of 17 monetary penalties issued by the ICO last year related to direct marketing breaches), reviewing compliance with the privacy and electronic communications regulations has to be a 2025 goal for any business looking to stay off of the ICO’s radar.

8. Assess security measures

Organisations with a European dimension will continue to be subject to increased regulation regarding their information security measures under the EU NIS2 Directive, the EU Cyber Resilience Act (which came into force on 10 December 2024). The scope of these regulations goes beyond data compliance, as they apply to information security generally and not just to the protection of personal data.

Although this is European legislation, the scope of these regulations is defined broadly, and in some cases will capture organisations that provide certain goods and services to European customers.  

9. Assess AI solutions

The initial AI hype-bubble may have dissipated during 2024 as significant flaws, energy concerns and costs surrounding the use of generative AI began to mount up, nevertheless AI solutions will likely still be a key concern for data protection practitioners and regulators going in to 2025.  

It remains to be seen whether or not the UK will adopt their own version of the EU AI Act, but as a minimum the ICO expects organisations to conduct extensive and retailed assessments throughout the AI lifecycle.  

Towards the end of 2024 we saw the ICO issue specific guidance on the use of AI in a recruitment context, but a lot of the commentary here is useful for the application of AI systems in a number of different circumstances.

If you have not already done so, 2025 will be the time to assess how AI systems can be used by your organisation, and to assess the costs, risks and benefits of using AI systems for different use cases.

10. Assess global landscape 

The last few years have seen many jurisdictions introduce and implement new data protection laws, and in 2025 we will continue to see more of that as legislation is finalised and brought into force.  Key developments are expected in Australia, India and the US in particular.

For many UK organisations, compliance with the UK GDPR sets a high bar and will usually tick most of the boxes for compliance with data protection regimes in other jurisdictions. However, be aware that each individual regime may have its own expectations on matters such as data localisation and appointment (and personal liability of) data protection officers – so it is always worth double checking!

For support with achieving these goals or with any other data protection and governance issues, please contact David Goodbrand or Jo McLean in our Cyber Security & Data Privacy team. 

Written by

Related News, Insights & Events