Data Protection Risks in 2025

For the majority of my career, I’ve worked in regulatory risk units across the spectrum of finance firms. I’ve covered the rules around payday loans, the financing of transit vans and oil rigs, paperwork for private banks and debt collection firms and everything in between.

While going through the alphabet soup of SIB, BCSB, FSA, FCA, PRA and ECB, my colleagues and I used to joke that regulatory changes in data privacy were good. After all, they kept the compliance team busy and able to pay our mortgages.

Now, the laughing has stopped. The stakes have always been high, but international firms and their senior manager functions are starting to feel isolated. They’re turning to external advisors and safe discussion spaces with competitors to avoid being the head above the parapet. Heads-up has become heads-down.

Please note: This is not a political piece. It’s simply an analysis of the current state of data protection risks in 2025.

Regulatory Changes to Data Privacy in 2025

Regulatory changes in data privacy have been relatively gradual. Discussion papers lead to advising consultation papers, and then a transition to policy and guidance. Throw in some legislation, and the UK gives the world a heads-up regarding the direction of travel. We may not like the direction, but at least we, and those wanting to operate here, have an idea of what’s expected.

Although we’re not part of the EU, we can still review their plans and understand how they align with ours. We can identify competitive advantage in some areas and recognise our shortfalls in others.

Until late 2024, scanning headlines and reading documents helped us guide clients on where to focus their training and resources.

2025 has altered all of that.

The world has changed. The current US administration is upending the norms of the past 70 years. Now it’s about reacting rather than preparing.

When a CEO of a respectable firm asks whether to issue burner phones to staff travelling to the US to avoid loss of data or challenges at immigration, it’s time to get out the old Risk and Control Assessment spreadsheet and start re-evaluating data protection risks and impacts.

What is the Transatlantic Data Privacy Framework (TADPF)?

The 2023 Transatlantic Data Privacy Framework (TADPF) has gone through a number of iterations. The new version is built on the underpinnings of the old ‘Privacy Shield’ and ‘Safe Harbour.’

There were some misgivings when TADPF was adopted in Europe. However, one can see a pragmatic compromise being taken between the EU and the US (Although sidelined in discussions, the UK has bought into the overall concept- once again, a pragmatic approach).

New EU Data Transfer Rules and Restrictions

With some foresight, the European Data Protection Board published new guidelines for transferring personal data to public bodies outside the EU. This included a change to how subpoenas and compliance requirements in foreign countries could be answered. In short, EU firms can’t, without an international treaty or legislative agreement between the two jurisdictions, move data.

In addition, holding client data ‘just in case’ a foreign power may want it in the future is not a ‘legitimate interest’ in meeting a country’s GDPR compliance requirements.

Now, more member states require detailed risk assessments and risk mitigation plans before any data is moved outside of the EU. As such, data privacy scrutiny is ramping up across the whole industry. Strictly speaking, this doesn’t affect the UK yet. But for every UK firm that deals with Europe, it already sort of does.

🔶 Want to learn more about evolving data protection risks and how to stay compliant? Sign up for free to continue reading the full article.

🔶 This article is written by The ZISHI experts and published in the May 2025 edition of Advice Matters Magazine. Subscribe here to stay up to speed with the latest regulatory policies and procedures.

FAQs