In 2025, organisations are facing unprecedented privacy challenges due to the rise of generative AI and increased cloud adoption. Ahead of Data Protection Day 2025 on January 28th, we've compiled the thoughts of a number of data privacy and security experts to examine best practices when it comes to data protection for the year ahead.

Ellen Benaim, Chief Information Security Officer, Templafy

"Data Protection Day is a reminder that privacy isn't just a policy — it's a business imperative.

In the AI-wave, data is increasingly fed into AI systems and models and the need to safeguard individual rights has never been more critical. AI-driven technologies offer immense opportunities but also introduce new risks around data usage, bias, and security. Regulations are evolving to keep pace, and customers and their end-users expect more transparency than ever before.

The landscape is shifting. And the businesses that will thrive in this new era are the ones that treat security, compliance and privacy as a competitive advantage, not a burden. Customers trust brands that protect their data. Regulators favour businesses that prioritise security. Privacy isn't just about avoiding fines. It's about building trust, reducing risk, and future-proofing your organisation."

Phillip Mellet, General Counsel, Pipedrive

"For any customer, personal information is a top concern – if I'm sharing my data with a company, I want to know it's safe and how it's going to be used. The UK government reported that half of businesses (50%) had experienced a cyber security breach or attack, and with the risks facing Britain "widely underestimated" according to the NCSC head, companies need to assure customers and business partners that they safeguard their data.

"But it's not enough for a company to just say their own policy is watertight. The flow of data involves a network of companies running across a chain – with data supplied and received from a number of places. It's critical for businesses to collaborate with trusted parties. Businesses need to operate in a safe network, to ensure their customers have confidence that any data is handled securely and responsibly.

"While bolstering their own data protection credentials in-house, leaders need to have a keen eye for partners – what accreditation do they have? The right certifications signal commitment to upholding international standards, which is what all businesses need to achieve in 2025. At Pipedrive, through our ISO 27001 and 27701 audits and accreditations, we are always looking to reaffirm our position as a trusted partner. ISO 27001 and 27701 establish frameworks for managing and safeguarding information security and privacy through rigorous programmes guided by recognised industry standards."

Matt Ausman, Chief Information Officer, Zebra Technologies

"With the growth in more connected frontline workers we're seeing more connected data flows, which is good for things like asset visibility and intelligent automation but requires commensurate data protection measures for the good of the company, it's workers and customers.

"When looking at generative AI, data privacy has become a concern in relation to inputting private data into prompts as well as the scrapping of publicly available and copyrighted data. On the other side, factual errors and hallucinations remain a problem with generative AI outputs. It means discussions about data privacy and protection need to align with discussions about safe data sharing and high data quality.

"And with companies investing significant time, skills and budget into generative AI tools, we are much more aware that AI governance, data governance, IT, security and legal need to work together to balance protecting business and customer data and confidentiality while also leaving plenty of space for employees to leverage generative AI tools in their jobs and customers to reap the benefits in their purchasing and other interactions with businesses."

Danny Allan, Chief Technology Officer, Snyk

"As one of the most pressing issues in a digital age, data security is a complex challenge that requires action from consumers, businesses and society at large.

"Consumers control their own security settings, but developers have a fundamental duty to minimise risks. With 82% of vulnerabilities found in application code and 90% of web apps susceptible to attacks – 68% of which could expose sensitive data – the importance of secure development cannot be overstated.

"By embedding security at every stage of the software development lifecycle, developers can help mitigate these risks. This includes implementing secure coding practices, complying with industry standards and leveraging proactive threat detection.

"Security should be a fundamental element, embedded from early-stage development to deployment. Key measures include encryption, application firewalls and authorisation controls, along with robust authentication mechanisms such as multi-factor authentication.

"Advanced security tools that scan for vulnerabilities throughout the development lifecycle also have a role to play. By taking a proactive approach, we can strengthen application security and protect consumer data from ever-evolving threats."

Leah Perry Chief Privacy Officer, Box

"The role of the Chief Privacy Officer (CPO) has grown significantly with the rapid evolution of global privacy and data protection laws. As a result, it's evolved from a compliance-focused function to a dynamic leadership position integral to key operations and business functions. From product development, risk, strategy, governance, sales and marketing, amongst others, Privacy has a pivotal seat at the table.

The bright spot in the privacy field is that so much of what is happening in technology is tied to privacy. There is a growing demand for CPOs and privacy experts to guide the implementation, use, and integration of AI while ensuring oversight and compliance. As a privacy professional, you're already in a proactive position to work on organisations' most critical decisions concerning AI. There's never been a better time to be a privacy professional!"

Paulo Rodriguez, Head of International, Vanta

"Data Protection Day serves as a timely reminder of an important topic that, in truth, should be front of mind for businesses all year round. This year, however, is perhaps more important than ever before, with more than half (54%) of UK organisations saying that security risks for their business have never been higher. Of note, 69% say that customers, investors and suppliers increasingly require proof of compliance in areas like data protection and the use of AI.

Many businesses are still struggling to adapt their data management practices to meet the evolving requirements of compliance regulations. Despite significant efforts, staying compliant with data protection remains a resource-heavy task that demands continuous monitoring and regular audits. In the UK alone, time spent on these activities increased to 12 working weeks in 2024 (compared to 10 in 2023).

To complicate matters further, AI has become a must-have for many businesses to stay competitive, which is introducing new data privacy risks. The rise in AI tools used across vendors and the associated risks complicates third-party risk management, putting confidential data and reputations in the balance. But AI can also help organisations manage this risk, thanks to its ability to scrub large amounts of information in a fraction of the time. It can support organisations to find the information they need and answer any security and compliance questions with ease.

Beyond just Data Protection Day but through 2025 and the years to come, businesses must integrate continuous, collaborative and automated trust management into their operations in order to stay compliant and secure."