Business Security
Incoming laws, combined with broader developments on the threat landscape, will create further complexity and urgency for security and compliance teams
23 Jan 2025
•
,
5 min. read
As Data Privacy Week (January 27-31) and Data Protection Day (January 28) approach, it’s the perfect time to spotlight the critical role data protection plays in the success of modern organizations.
In fact, privacy and data protection go hand-in-hand with cybersecurity. Important laws like the GDPR stress not only the need to uphold the privacy rights of your customers, but also to protect their most sensitive personal information (PII) through state-of-the-art technologies like encryption. Campaigns like Data Privacy Week are more than just annual events – they should be thought as calls to action to prioritize the security and privacy of data in an ever-evolving digital landscape.
The past 12 months have been a momentous time for global privacy, thanks to new laws, important legal rulings and emerging technology and threat trends. It’s time to get ready for more of the same in 2025.
What happened in 2024?
Over the past year we’ve witnessed:
Some eye-watering fines and settlements
These include:
Major court rulings
Significant decisions from the Court of Justice of the European Union (CJEU) will have major implications for organizations operating in the bloc. These included:
- the Lindenpotheke case, where the CJEU ruled that businesses can sue rivals over GDPR violations under unfair competition laws. The same ruling expanded the definition of health data.
- C-621/22, in which the CJEU clarified “legitimate interests” as a lawful basis for processing personal data, as long as organizations follow strict privacy measures.
More cybersecurity-related laws
Among those passed or advanced in 2024 were:
- NIS2, which brings more organizations into scope and requires they implement strict cybersecurity controls,
- the Cyber Resilience Act (CRA), which mandates a rigorous set of security requirements for hardware and software sold in the region,
- the Cyber Solidarity Act (CSA), which is designed to help member states better detect, prepare for, and respond to large-scale cybersecurity threats.
Global AI governance efforts
These included:
What can you expect for 2025?
The impact of many of these events will be felt throughout 2025 and beyond, while incoming laws and longer-term threat landscape trends will create further complexity and urgency for security and compliance teams. Be prepared for:
More data protection laws
These include Canada’s C-27 Bill, the UK’s Data (Use and Access) Bill and no fewer than eight state-level privacy laws, in Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota and Maryland. These will cumulatively help to build awareness of and enshrine privacy rights into law, as well as open the door to regulatory enforcement. The end result will most likely be to increase the pressure on compliance teams and business leaders to enhance data protection measures.
More enforcement
We can also expect to see regulators begin to flex their muscles as laws passed in 2024 start to hit home and various requirements come into force. For example, the EU AI Act will see:
- a ban on AI systems posing unacceptable risks (including social scoring and untargeted facial data scraping) from February 2,
- requirements for general-purpose AI models to come into force on August 2. These will include a mandate for generative AI (GenAI) developers to assess and mitigate systemic risks and document cybersecurity measures.
More threats and more privacy risk
The past year saw publicly reported data breaches in the US hit record highs, with over 353 million end users exposed to identity fraud as a result. As AI tools, stolen credentials and service-based offerings continue to proliferate on the cybercrime underground, expect a deluge of relatively sophisticated cyberattacks which may catch out unprepared security teams. GenAI in particular will enhance the quality of social engineering campaigns and reconnaissance of vulnerable and exposed IT assets.
Organizations which fail to improve their security posture in line with best practices risk inviting the scrutiny of global privacy regulators.
Threat actors weaponizing new laws
Just as they did following the introduction of the GDPR, cybercriminals could use the threat of regulatory action to force victims to pay up in extortion attacks. NIS2 fines could reach €10m or 2% of global annual revenue, for example. It’s also possible that if the new law helps drive improvements among regulated organizations, threat actors will switch their attention to organizations not subject to the directive, such as smaller firms.
AI creating privacy compliance challenges
AI systems must be trained on huge volumes of data. Sometimes this data is scraped from the web, and sometimes it comes from existing customer accounts. This creates potential privacy challenges if consent has not been clearly obtained (as LinkedIn found out in the UK). Opaque AI systems may also make it harder for organizations to remove or correct personal information when asked to by users. Several US states are already planning AI laws, following the lead of Colorado.
What to do next
Against this backdrop, 2025 could be a critical year for security and compliance teams. Be sure to stay ahead of the game by:
- Keeping abreast of relevant regulatory and legislative changes and understanding the compliance requirements that apply to your organization
- Enhancing data security in line with industry best practices
- Ensuring corporate data owners are clearly identified and creating a robust reporting system that identifies the roles and responsibilities of everyone involved
- Performing data protection impact assessments (DPIAs) before introducing any new product or service (e.g., a new AI tool), as well as putting in place appropriate safeguards based on the DPIA
- Monitor performance, review security protocols, and address areas that require attention
Data protection can often seem like a burden. But in fact, it should framed as an opportunity. It offers your organization the chance to enhance customer loyalty and trust, not to mention mitigate the risk of financially and reputationally damaging breaches. View 2025 through this lens, and the next 12 months could open the door to new business possibilities.
