We are celebrating Data Privacy Day (28 January 2025) by reflecting on the evolving landscape of data protection.

In the coming year, organisations will face significant shifts across the realm of data privacy from legislation and Artificial Intelligence (AI) to cybersecurity and the growing risk of data related group litigation. With the United Kingdom's Data (Use and Access) Bill likely to receive Royal Assent along with rising concerns about AI, biometrics and evolving regulatory risk, businesses must stay ahead of these developments to ensure robust data protection practices.

In this article, we highlight the top five six data protection developments to watch for in 2025: We started with five but with fresh news last week from the Information Commissioners Office (ICO) on tackling cookie compliance of UK websites, a late entry flies in at number 3!

1. More legislation

The Data (Use and Access) Bill is currently progressing through parliament, and based on current timescales looks likely to be given Royal Assent in 2025.

The Bill sets out a number of changes to the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018, including in relation to data subject rights, listing processing activities that may be necessary for purposes of a legitimate interest, processing for the purposes of scientific research, and relaxing some of the constraints in relation to automated decision making. In addition, there is an increase in the regulator's enforcement powers. Talking of the regulator, the Bill, if passed, would abolish the role of the Information Commissioner and transfer his functions to a new Information Commission.

The changes will not require a significant compliance effort akin to preparation for the GDPR in 2018, but in certain circumstances may allow for processing of personal data that is currently unlawful or at least questionable. In any event, organisations will want to re-assess their accountability documents and privacy frameworks in light of the changes.

2. AI (of course!)

AI is going to continue to be a hot topic in 2025. The Government's recent presentation of an "AI Opportunities Action Plan" demonstrates the Government's commitment to "ramping up AI adoption across the UK to boost economic growth, provide jobs for the future and improve people's everyday lives". The King's speech in July 2024 stated that the new Labour Government would seek to establish appropriate legislation to place requirements on those working to develop the most powerful AI models. By the end of 2024 no such legislation had been proposed. On regulation, the Government response to the Action Plan was quite muted stating that it would "set out its approach on AI regulation and will act to ensure that we have a competitive copyright regime that supports both our AI sector and the creative industries".

Whether, or to what extent, the UK adopts any specific AI legislation remains to be seen. Nevertheless, we can expect continued focus on AI by the ICO, whether through its guidance or enforcement action. In the spring we can expect guidance to help local authorities comply with the public sector equality duty and data protection law when procuring and contracting out AI-based -technologies.

3. Online advertising

In 2025 we shall see an increased focus from the ICO in relation to online advertising following the newly announced release of the ICO's online tracking strategy for 2025. This seeks to ensure that people have meaningful control over how their personal information is tracked and used online. As part of this strategy, the ICO has announced that it will be actively reviewing cookie usage on the biggest UK sites. The plan is to bring the UK's top 1,000 websites into compliance with data protection law. This follows an earlier assessment on the compliance of the top 200 UK websites, 134 of which were found wanting!

In addition, the ICO has published guidance on so called 'consent or pay' models. Under these, people can either consent for their personal data to be used for personalised advertising in order to gain access to online content, pay a fee to access the content without personal data being used for personalised advertising, or decide not to access the content. The key take away is that if a “consent or pay” model is being implemented, people must have freely given their consent for personalised advertising. We can expect the ICO to engage with the operators of the sites that currently deploy this model.

4. Biometrics

The ICO has historically been active with enforcement when it comes to the use of biometrics and 2025 may be no different. Whether it be the use of facial recognition or fingerprints, the ICO has been very public about its expectations on their lawful use. For companies contemplating use of biometrics for identification purposes, care needs to be taken, and an analysis made, to determine whether the proposed processing is lawful.

In 2025 we can expect updated guidance on the scanning of children's fingerprints in schools.

5. Data security risk and frenetic regulatory change

Regulation of cybersecurity and tech continues to evolve quickly through 2025 in the UK and further afield, notably in the EU. Increased use of cloud technology and unchecked third party vendors come hand in hand with fast growth in cyber risk, bringing higher supply chain vulnerability and exposed business data. Increased sophistication of cyberattacks is anticipated as AI exploitation optimises identification of vulnerability; phishing and malware creation; and creation of deepfake content for fraud. Security threats continue to include unpatched vulnerabilities, as well as unsecured edge devices and IoT (Internet of Things) products. Where the synergy between AI and quantum computing is explored in certain sectors through 2025, emerging risk in terms of data protection and cyber security will need full consideration.

2025 will see the Cyber Security and Resilience Bill, the UK's equivalent to Network and Information Systems Directive 2 (NIS2) (the new EU-wide cybersecurity directive) become law. Its aim is to improve UK cyber defences and protect essential public services by expanding the remit of current regulations (NIS Regulations 2018). It will bring enhanced regulatory powers and increased incident reporting. A consultation is underway: mandatory reporting of ransomware payments to government is on the horizon. Business preparedness requires strong cyber infrastructure, robust incident response plans and training.

Compliance with NIS2 currently harbours uncertainty. Some EU countries have still not transposed it into national law. In-scope UK entities doing business in the EU need to navigate these changes in 2025. Non-compliance with NIS2 risks financial penalties, personal liability for managers, reputational damage and operational disruption. See our previous blog post - Data centres: Managing the cyber resilience of the newest form of critical digital infrastructure.

The EU's Cyber Resilience Act (CRA) came into force on 10 December 2024 (although there is a transition period). Its focus is on the cybersecurity of digital products. It mandates secure design, vulnerability management and conformity assessments. UK companies placing products with digital components on the EU market must comply to avoid penalties. Alongside the CRA, the UK's Product Security and Telecommunications Infrastructure Act (PSTI) is another compliance risk to manage in 2025. See our previous article - Are you meeting new, enhanced UK cyber security requirements for consumer "smart" products?

6. Join the gang – beware mass data related group litigation

Class action litigation has become a significant trend globally, and its presence is growing in the English courts in 2025. Collective actions are made possible due to litigation funding and increasing interest of parties to enter into funding arrangements. To date UK class actions for misuse of data have not got off the ground. The significant Supreme Court decision, Lloyd v Google, decided that claims for loss of control of data could not be brought as "opt-out" representative actions (where a claim is brought on behalf of an entire group of people without requiring individuals to join the case).

As well as several off-shoots left to test the boundaries of "opt-out" representative actions in misuse of data claims, there is the potential for other group action routes yet to grow legs: Claimant law firms and litigation funders are behind collective actions here in the UK. Global mass data related class actions (with related shareholder derivative actions) are firing up in courts in other parts of the world. Data security challenges are expanding and gaining visibility at all levels. The risk of privacy group litigation is not going away.

Indeed, the European General Court kicked off 2025 by awarding a claimant non-material damages (i.e. there was no material loss) where there had been failure to recognise a risk-based approach to an international data transfer. Whilst this decision may yet be appealed, if it isn't, it opens a new precedent for non-material damages for loss of control of data in the EU courts and brings closer the risk – for now outside the UK - of collective redress claims based on similar circumstances. This gives yet further impetus for prioritisation of data protection, cyber risk and data security management at board and C-suite level.

As we look toward 2025, the future of data protection is increasingly shaped by legislative changes, technological advancements and an intense focus on data security. From the implementation of the Data (Use and Access) Bill to the growing influence of AI and biometric regulation, organisations must remain agile in their compliance efforts.

Want to know how we can support with your data protection efforts? Get in touch with our Data Protection and Cybersecurity Team.

A cyber breach can happen at any time and preparation is key. Be sure to download our 24/7 Cyber Incident Response Hotline card and save it to your desktop so you can contact us immediately to help get you back to business.