Organisations must reimagine their approach to data protection, mitigating risk and adapting to new regulations in a fast-changing environment. David O’Sullivan explains why

As we enter the second quarter of 2025, the data privacy landscape is on the cusp of transformative change.

Rather than reacting to headlines, organisations are now compelled to reimagine their approach to data protection, blending strategic foresight with a renewed commitment to ethical stewardship.

Here, we outline our top 10 data privacy predictions for the remainder of the year, pinpoint in the key trends that will shape how organisations handle compliance, mitigate risks and adapt to regulatory changes.

1. Changing DPO role in AI governance

As artificial intelligence (AI) relies heavily on quality data, data protection officers (DPOs) are crucial in helping organisations understand and use their data effectively.

Given the overlap between data protection and AI governance, DPOs are increasingly managing AI compliance and governance. Both roles require the ability to coordinate cross-functional teams and adapt to evolving challenges.

2. Privacy by design and privacy-enhancing technologies 

With the growing need for data in AI, protecting that data and transforming it into privacy-enhancing or anonymised formats is becoming ever more essential. These tools enable organisations to benefit from their data while maintaining privacy.

Privacy by design is a principle-based approach that is set to become increasingly popular, prompting organisations to review their processing activities in depth, reducing risk and improving compliance management.

3. GDPR compliance frameworks

Europe's digital regulations are complex and extensive. Privacy frameworks derived from the General Data Protection Regulation (GDPR) provide a solid foundation for building comprehensive compliance frameworks. These frameworks will be updated to accommodate new compliance requirements.

4. Shifting attitudes toward compliance

We saw numerous headlines about data-related fines cropping up in 2024. Regulatory bodies, such as the Data Protection Commission, have intensified their efforts to manage complaints and breaches, putting more pressure on organisations.

As consumer awareness grows, driven by global discussions on data privacy, we can expect to see more attention to data protection compliance.

5. International transfers under scrutiny

International discussions will lead to greater scrutiny of data transfers. Recent findings by the Court of Justice of the European Union could significantly impact international data transfers, prompting organisations to reassess their practices.

6. Consumer awareness of data subject rights

In Ireland, damages have already been awarded for GDPR non-compliance. While this hasn't yet led to a surge in claims, increased awareness will empower data subjects to hold controllers accountable. Organisations may shift their focus from regulators to data subjects.

7. Increase in cookie consent enforcement

Cookies, often invasive and disruptive, are under scrutiny.

The Data Protection Commission’s review of cookie compliance five years ago highlighted widespread non-compliance.

Combined with the European Data Protection Board’s (EDPB) Cookie Banner Task Force and increased action by groups such as the European Centre for Digital Rights, we can expect enforcement actions to ramp up as organisations have now had time to implement recommendations. 

8. Proactive approach to processor compliance

As privacy programmes mature, organisations will focus on the entire data lifecycle, including third-party processors.

The EDPB's opinion on data processors and sub-processors highlights the importance of controllers to ensure compliance throughout the data value chain.

This will likely lead to more queries and demands from controllers to processors.

9. Board assurance on data protection

With GDPR in effect for seven years, boards are increasingly concerned about data protection risks that extend beyond compliance, driving demand for assurance through audits and certifications, which are rapidly maturing. 

10. Greater focus on transparency

To empower data subjects, organisations must provide clear and practical transparency notices.

Moving away from legalistic, lengthy and obscure notices to more informative ones will enhance transparency and build trust with data subjects.

David O’Sullivan is Director of Privacy, Digital Trust and Artificial Intelligence Governance at Forvis Mazars