News From Wales reports:
What’s New with GDPR in 2025?
Modifications and shifts from 2025 will be enforced and interpreted under GDPR. One of the major changes involves SME facilitation for compliance under the new proposals by the European Commission, floating streamlining of Data Protection Impact Assessments (DPIAs), which would also allow using shared or third-party Data Protection Officers (DPOs). They are expected to make compliance less of a nightmare for small companies but do not derogate from basic privacy protections.
Data protection authorities (DPAs) across Europe are becoming more beefed to the hilt as they begin issuing fines across various sectors rather than just limit themselves to the tech giants. By January 2025, the GDPR fines from various sectors have aggregated to a whopping €5.88 billion, with Ireland’s Data Protection Commission (DPC) serving as the biggest offender disbursing fines summing up to €3.5 billion since 2018. Meta, LinkedIn, and many others have all been singled out and subjected to some of the largest penalties; however, even smaller sectors, such as healthcare and finance, are finding themselves on the crosshairs as well. This wider net simply shows that regulators actually mean business, irrespective of the size of the company.
Universally, the latest trend that manages the aerial view is on new technology such as artificial intelligence (AI). Regulators are investigating how AI systems handle personal data. Such investigations target critical issues like whether consent models for AI-powered platforms comply with the strict standards of GDPR. It was also hinted by the European Data Protection Board (EDPB) that many online platforms will find it hard to legally endorse data-bulky practices in AI, thus forcing firms to rethink their tech stack choices.
Tighter scrutiny levels were also put on cross-border data transfers. Regulators are tightening their SCCs and BCRs following very famous, big cases like the 2023 €1.2 billion fine that Meta incurred for the illegal transfer of data from the EU to the US. Businesses that transfer data to the UK are already preparing for fresh requirements that might come with this uncertainty because the adequacy decision of the UK is set to lapse in June 2025.
Common Mistakes Businesses Are Still Making
For seven long years now of GDPR, the companies are still making new mistakes and are unable to overcome the old ones, and here is what you are probably getting wrong and how to set it right.
1. Inaccurate Data Mapping
Data knowledge about what exists, where it exists, and how it is utilized is the fundamental learning about GDPR, yet very few businesses are caught up with the GDPR data mapping requirements. Admissible is a proper data map, or Record of Processing Activities, under Article 30, which many companies either forget or let it gather dust. Flying blind without an up-to-date ROPA means being unable to spot risks or prove compliance to regulators. Classifying sensitive data types, for example, health or financial records, may lead to their lack of suitable protective mechanisms or even expensive breaches.
Fix it: Conduct a thorough audit to acquire complete data every year. Map all the flows; classify data-sensitivity-wise; put all into a ROPA. Microsoft Purview might help to automate this process, though you’ll get by with a simple spreadsheet so long as you’re consistent.
2. Breach Notification Rules Being Scorned
Data safety breaches happen; whether it’s a stolen laptop or an all-out cyber attack, and the fact is that you are going to have to report data breach GDPR to the respective supervisory authority within 72 hours unless there is no risk of harm to the individual’s rights. Many organizations delay notifications holding onto the threads of the issue or fail to document properly the incidences into breaches. Twitter learned this hard way in 2020, getting slapped with a €450,000 fine for late reporting.
Fix it: Establish a very strong incident response plan. Staff must have clearly defined roles, trained, and breach simulations practiced. Document all breaches, no matter how small, detailing as many details as possible regarding scope and impact with remedial actions. Notify the DPA, in case of doubt—better safe than sorry.
Read more at NewsFromWales.