Navigate the evolving landscape of data protection: key trends and regulatory focus for 2025

Data protection enforcement trends

GDPR enforcement against “Big Tech” looks set to continue, in particular in Ireland following last year’s appointment of Des Hogan as Commissioner for Data Protection. 2024 saw the Irish Data Protection Commission impose large fines against social media platforms. Any appeals by data controllers in relation to these penalties will be progressed in the coming year. 

Following the U.S. government’s recent Executive Order “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern”, we can also expect to see continued regulatory focus being placed on the lawfulness of large-scale international data transfers, and we are likely to see further scrutiny of the lawful basis of large-scale processing of biometric data—continuing a trend which included a significant fine being imposed by the Dutch data protection authority on a company operating facial recognition technology in 2024. 

In the U.K., there is nothing to suggest that the Information Commissioner’s Office’s (ICO) relative lack of enforcement action by way of financial penalties and emphasis on reprimands and more informal outcomes will not continue in 2025. That said, while the ICO only uses its formal powers in the most egregious cases, its regulatory engagement can still have a significant impact on companies, e.g, cookie sweeps, AADC engagement on its priority areas, and from guidance on areas such as AI. 

Individual liability

A further possibility is the emergence of individual liability for senior individuals within an organization who are responsible for keeping data safe. For example, a large-scale data breach caused by a failure to appropriately manage cybersecurity risk could lead to shareholder derivative claims against directors for breach of fiduciary duties—something which, while novel in the Europe, is not uncommon in the U.S. CISOs may also find themselves the subject of increased individual scrutiny as regulators look to obtain information from them as the standard-bearers of security in the context of post incident regulatory investigations. This continues a trend which has emerged in the last couple of years, and which has seen SEC fraud charges brought against the CISO of one technology company and criminal liability being established against the CISO of another for misleading the FTC and concealing a historic data breach.   

Managing data protection risk

Managing data protection risk is never far from the top of organizations’ priorities. In the current climate, the following matters should be afforded particular attention:

• Revisit and challenge existing compliance programs if an organization adopts new technologies with data protection or privacy implications (most notably, any novel use of AI which involves the processing of personal data in particular contexts).
• Consider (and, where appropriate, compare) your business activities in the context of the various priorities of data protection regulators in different jurisdictions and what the risk implications of these priorities might be. These priorities might vary significantly even within regions—see for example the discussion above in relation to Ireland and the U.K.
• Think carefully about developments in the intersection between data protection, information governance, and cybersecurity. Many of the largest fines and penalties that have arisen in this area are a result of matters such as inappropriate security measures being applied to personal data which was otherwise being lawfully processed; data retention policies not being applied thoroughly, resulting in the exposure of personal data which should not have been retained; or coding errors leading to personal data exposures. All these issues demonstrate that data risk needs to be considered holistically in order to be effectively managed. 

This article is part of the A&O Shearman White-Collar Crime and Investigations Review 2025.