How can privacy teams keep up with constant regulatory change, new technologies, and rising expectations from customers and regulators alike? That question brought privacy professionals together at Empowering Privacy UK in London.
Experts from across industries shared what’s working, what’s changing, and where privacy is heading next. The discussions covered a wide range of topics, including risk management, interpreting the DUAA, navigating AI, privacy-enhancing technologies, and multi-domain compliance.
Read on to discover the key insights you can apply in your organization to strengthen compliance and stay ahead in data protection.
Building a stronger understanding of privacy risk
Every organization faces privacy risks, yet many still struggle to manage them effectively. The panelists agreed that there is no single formula for success. Managing privacy risk starts with understanding how the business operates, what data it relies on, and who could be affected by it.
Privacy risk, as explained by Emma Martins, depends on the context. The type of data involved, how it is processed, and who might be affected all influence its severity. That risk can extend beyond the organization itself, touching employees, customers, and the wider public.
Building on that point, Boris Selak emphasized that privacy professionals require a comprehensive understanding of their company’s operations. Only then can they help teams identify risks early. Tools and frameworks can assist, he said, but awareness and open communication remain the foundation.
When discussing board communication, both Henry Davies and Janine McKelvey stressed the need to translate privacy into business terms. Boards are more likely to engage when they understand the operational and reputational impact rather than the legal details. They also noted that independence and adequate resources are essential for DPOs to be effective.
The conversation then moved to risk appetite. According to Henry Davies, claiming to have “zero risk” may sound reassuring, but it is not a realistic expectation. Instead, organizations should define the levels of risk they can accept, document those decisions, and regularly revisit them.
For Anthony Moran, maturity models are a practical way to track progress and hold teams accountable. These frameworks evolve with the organization, helping boards see how privacy practices improve over time. Janine McKelvey added that breaking models into smaller business areas builds shared ownership and gives leadership a clearer view of where progress is needed.
Looking ahead, the panel encouraged privacy teams to stay focused on the basics. As Emma Martins put it, principles such as consumer protection, transparency, and data ethics remain central to building trust.
Panel “Demystifying data privacy risk: a deep dive into identification, assessment, and design”: Janine McKelvey (former Group GC for Data, AI & Security and Data Protection & Ethics Officer at BT Group), Boris Selak (Privacy Officer at the Law Society of Ireland), Emma Martins (Chief Commissioner at the Data and Marketing Commission UK), Anthony Moran Associate Data Protection Officer at Meta), Henry Davies (Data Protection Officer at Birdie)
Making sense of the DUAA and the UK’s regulatory direction
The second panel unpacked what the Data (Use and Access) Act 2025 (DUAA) means for businesses operating in and beyond the UK. While the law aims to simplify compliance, the discussion revealed that it also adds new layers of complexity.
According to Mark Watts, the DUAA reduces certain administrative burdens, such as easing DPIA and ROPA obligations and clarifying the use of legitimate interests. However, these changes sit on top of existing laws like the UK GDPR and the Data Protection Act 2018, which can make the overall framework harder to navigate. He noted that updates to automated decision-making and cookie requirements may offer some relief, though the real impact will depend on each organization’s operations.
Matthew Sinclair contrasted the UK’s regulatory model with the EU’s. Whereas the EU defines in detail what is allowed, the UK gives more discretion to regulators. This flexibility means the ICO’s role becomes even more central.
When it comes to applying the new law, Janine McKelvey emphasized the need for structure. She recommended that companies approach DUAA compliance through three core pillars: people, processes, and tools. Understanding how the legislation affects daily operations, keeping vendors aligned, and embedding compliance across teams will all help organizations stay on track.
The panel agreed that while DUAA provisions provide helpful clarifications, businesses still face a fragmented legal environment. Aligning with the highest compliance standard remains the safest route for multinational organizations.
Panel “From the DUAA Act to the bigger picture: UK digital regulation in a global context”: Simon McDougall (Chief Strategist, Privacy & AI at ZoomInfo), Janine McKelvey (former Group GC for Data, AI & Security and Data Protection & Ethics Officer at BT Group), Mark Watts (Partner at Bristows LLP), Matthew Sinclair (Senior Director at CCIA UK)
The ICO’s next chapter
The UK’s privacy regulator is entering a period of structural reform. Under the DUAA, the Information Commissioner’s Office (ICO) will become the Information Commission, led by a corporate board rather than a single Commissioner.
The new model aims to bring greater stability and diversity to decision-making, with objectives centered on data protection, public trust, innovation, and competition. Natalie Rousse described the move as a modernization that aligns the ICO with its peers internationally. She also cautioned that clear roles and efficient processes will be crucial to avoid slower decisions.
From an academic perspective, Mikołaj Barczentewicz commended on the ICO’s open consultation process and encouraged continued focus on innovation as it transitions to its new form.
Businesses, added Samiah Anderson, are looking for predictability above all else. Clear timelines, consistent guidance, and better coordination between regulators will help organizations plan ahead and manage overlapping obligations more effectively.
Responding to these points, Mairead O’Reilly reaffirmed that tools such as the ICO’s regulatory sandbox and cooperation with other authorities will remain central to its work. The reform, she said, is an opportunity to strengthen accountability and transparency while keeping the regulator’s independence intact.
Panel “Future of the ICO: drop the O, insight into the plans of the UK’s new Information Commission”: Mairead O’Reilly (Legal Director at the ICO), Mikołaj Barczentewicz (Associate Professor in Law, Philosophy, and Technology at the University of Surrey), Samiah Anderson (Head of Digital Regulation at techUK), Natalie Rousse (Special Counsel at Covington & Burling LLP)
Turning privacy-enhancing technologies into practice
Privacy-enhancing technologies (PETs) are transitioning from academic theory to practical application. Lukas Adomavicius explained that PETs give mathematical and technical assurances for privacy, supporting principles like data minimization. They allow data to be analyzed securely without revealing individual records.
That promise is driving more organizations to explore PETs, though adoption is still developing.
Robert Pisarczyk explained that these technologies can strengthen both security and business performance by protecting sensitive data while enabling collaboration across teams or even between companies. He pointed to emerging use cases such as secure data transfers, privacy-preserving AI training, and confidential computing.
From an operational standpoint, Franzi Zukale cautioned that not all tools labeled as PETs truly meet privacy standards. Success, she said, depends on close cooperation between legal, compliance, and engineering teams. Balancing privacy protection with business utility remains one of the biggest challenges, especially in advertising and analytics.
Regulators increasingly view PETs as a practical way for organizations to demonstrate compliance with privacy-by-design principles. As these technologies become more accessible and better defined, they are expected to become an essential part of the modern privacy toolkit.
Panel “Real-life insights on deploying PETS”: Lukas Adomavicius (Global Privacy and Data Policy Manager at the Centre for Information Policy Leadership), Franzi Zukale (Solutions Architect Business Engineering at Meta), Robert Pisarczyk (CEO & Co-Founder of Oblivious)
Governing AI responsibly
From protecting data to shaping how it’s used, the next discussion focused on artificial intelligence and what responsible governance really means in practice.
The panel agreed that trust is the foundation of AI adoption. Frank Schemmel emphasized that privacy leaders play a key role in establishing the structures that keep that trust intact, ensuring that AI is developed with transparency and clear lines of responsibility.
Building on that, Rocco Panetta added that the UK’s approach to automated decision-making takes a more pragmatic, business-focused stance than the EU’s. He stressed that while AI tools can assist DPOs, the decisions guiding their use must remain grounded in human judgment and ethical accountability.
But how does responsible oversight look in practice?
Jacqueline Auma shared practical guidance for DPOs: conduct DPIAs early, keep a human involved in every stage of decision-making, and maintain thorough documentation of reviews.
Rachel Hayes continued on this theme, focusing on fairness and transparency. She warned that even high-performing AI models can create discrimination risks if they are not properly governed. Understanding how models use data, she said, is essential for effective compliance and ethical governance.
The panel concluded that DPOs will increasingly serve as cross-functional coordinators, connecting technical, legal, and business teams to ensure AI is developed and managed responsibly.
Panel “Navigating the AI frontier: privacy challenges and responsibilities for data protection officers”: Dr. Frank Schemmel (Senior Director Privacy, Compliance & Public Policy at DataGuard), Rocco Panetta (Chairman at Panetta Consulting Group), Jacqueline Auma (Compliance Manager at Landmark Information Group), Rachel Hayes (Partner at William Fry)
Expanding privacy into multi-domain compliance
The final panel explored how privacy programs are evolving into broader compliance frameworks that touch multiple areas of business.
One reason for this development is the growing link between privacy and AI. Sarah Gee explained that DPOs are becoming more involved in AI governance because their responsibilities naturally overlap with data protection. Others agreed that this shift reflects how privacy increasingly shapes wider compliance efforts.
To support this change, organizations need a culture that treats privacy as part of innovation rather than a barrier to it.
Samantha Sayers described how privacy gains traction when business units view it as a “front door” for responsible innovation. Engaging early in projects, she said, helps privacy teams guide development rather than slow it down. Pavan Gill added that at Meta, privacy is now embedded across teams and closely connected to both AI governance and other compliance domains. Collaboration and leadership have been essential in making that work.
As privacy becomes more deeply integrated across teams, the impartiality of DPOs remains non-negotiable. Gee stressed that DPOs taking on AI oversight must remain independent and avoid involvement in operational decision-making. Sayers added that independence also relies on practical support, including adequate staffing, time, and internal alignment.
But multi-domain compliance doesn’t stop at internal collaboration.
It also depends on how organizations manage the risks that come with working with third parties. Procurement and analytics teams play a central role in monitoring how data flows across vendors and partners, while DPOs are responsible for setting clear criteria for acceptable practices and overseeing assurance processes to keep those relationships compliant and accountable.
Panel “The future of digital compliance: privacy to multi-domain compliance programs”: Paul Jordan (Senior Policy Advisor at CEDPO), Pavan Gill (Deputy DPO at Meta), Sarah Gee (Group DPO at Revolut), Samantha Sayers (Global Head of Privacy, Risk & Compliance and DPO at Bolt)
Looking ahead: privacy and business goals go hand in hand
Across all six panels, the message was clear: privacy is evolving into a broader practice that supports business goals rather than constrains them. Whether through PETs, AI governance, or integrated compliance, organizations that embed privacy principles early are better equipped to innovate with confidence.
To stay connected with future events and insights from privacy experts, sign up for our newsletter and receive updates straight to your inbox.
.jpg?width=250&height=130&name=DataGuard%20epp%20event-27%20(1).jpg)
.jpg?width=250&height=130&name=DataGuard%20epp%20event-78%20(1).jpg)
_EasiestSetup_EaseOfSetup.svg?width=200&height=200&name=ConsentManagementPlatform(CMP)_EasiestSetup_EaseOfSetup.svg)