Experts warn of AI's dual impact on data privacy in 2025

In light of the upcoming Data Privacy Week, experts in the field have shed light on the pressing issues surrounding data privacy in 2025. The conversation is dominated by the dual impact of Artificial Intelligence (AI), the challenges posed by legacy systems, the importance of data minimisation, and the need for robust incident response frameworks.

Marc Rubinaccio, Head of Compliance at Secureframe, highlights the current "AI rush," where organisations are integrating AI into their applications at a rapid pace. This hastiness introduces risks, particularly the exposure of sensitive customer data. Rubinaccio urges organisations to undertake risk assessments using frameworks such as the NIST AI Risk Management Framework and ISO 42001.

Chris Gibson, CEO of FIRST, expounds on AI's double-edged role in data privacy. He emphasises that while AI aids defenders with real-time threat detection and predictive modelling, it also equips malicious actors with tools for automated phishing and evasion. "Organisations need to be aware of this double-edged sword," Gibson advises, stressing the importance of adopting AI-based threat detection technologies to safeguard personal data.

The sentiment is echoed by Ionut Mihai Chelalau, Transportation & Mobility SIG Chair at FIRST, who notes that AI-powered products inevitably lead to data "leakage" into AI training datasets. Chelalau warns that privacy, as it is traditionally understood, may be unattainable without stringent regulations and easy-to-follow standards.

In addressing data protection, Shrav Mehta, CEO and Founder of Secureframe, underscores the principle of data minimisation. He posits that avoiding the collection of unnecessary data can significantly reduce risks. Mehta advises organisations to focus on their most critical assets, ensuring that security measures are robustly prioritised and tailored for maximum effectiveness.

Legacy systems present another critical challenge in data privacy management. "Data privacy often hinges on the weakest link," states Chris Gibson. He highlights the vulnerabilities in older systems that remain easy access points for attackers despite advancements in security for new technologies. Gibson recommends inventorying systems, addressing vulnerabilities through virtual patches, and developing plans to replace outdated systems.

The complexity of global privacy regulations poses additional hurdles, particularly for companies seeking international expansion. Mehta underscores that regulations like the General Data Protection Regulation (GDPR) are crucial for safeguarding privacy rights. He suggests that businesses partner with cybersecurity experts and leverage advanced technologies to understand region-specific requirements and ensure continuous compliance.

Preventative measures against data breaches continue to be essential. Mehta points out that breaches often occur due to basic oversights, such as unused encryption or unchecked authentication processes, as seen in recent breaches like Change Healthcare. He advocates for systematic controls and continuous monitoring to address these fundamental gaps.

Finally, collaboration is identified as a cornerstone for effective incident response. "Data privacy relies on security teams working together," Gibson contends. He emphasises the importance of building relationships with peers and institutions, utilising frameworks like CACAO to streamline information sharing, and conducting crisis simulations to enhance internal preparedness.

The insights provided by experts during Data Privacy Week 2025 highlight the multifaceted nature of data privacy challenges. As technology evolves, the call for diligent risk assessments, strategic data handling, and rigorous incident response plans remain paramount in safeguarding vital personal data across global networks.