The 2025 Privacy Risk Summit brought together the brightest minds in data privacy, security, and governance for a full day of forward-looking discussion on how to navigate the next wave of privacy regulation and technology change. This year’s event explored how privacy programs are evolving alongside emerging technologies, new state laws, and rising consumer expectations.
From expert panels to product showcases, the summit highlighted practical strategies for adapting to a rapidly shifting privacy landscape—anchored in collaboration, innovation, and transparency. Here are three main takeaways that defined the 2025 Privacy Risk Summit.
Takeaway 1: The “New Standard of Privacy” Demands Proactive Readiness
The day began with Tom Kemp, Executive Director of the California Privacy Protection Agency (CPPA), delivering a keynote on how state regulations are setting a national precedent. Kemp explained that California is “walking a mile in the consumer’s shoes,” signaling a future where accountability isn’t just a legal requirement but a shared business responsibility.
In conversation with Daniel Barber, CEO of DataGrail, Kemp underscored that companies can no longer wait for regulation to dictate action. Barber noted that “the best-in-class programs have legal, security, and privacy working together,” emphasizing collaboration as the new foundation of effective privacy programs.
That partnership is more critical than ever. 82% of Data Subject Requests (DSRs) are now for data deletion — outpacing access requests for the fourth year in a row — while the cost of managing them has increased 43% year-over-year. These figures reflect a world where consumers expect control, and organizations must build privacy readiness into their DNA.
Rather than waiting for the next wave of laws, companies must prepare now — by operationalizing transparency, strengthening data governance, and automating compliance tasks. As Kemp put it, privacy programs that react are already behind. The new standard demands readiness, agility, and a deep understanding of what consumers value most: control over their data.
Takeaway 2: Privacy and AI Are Colliding — and Cooperation Is Key
The most dynamic theme of the day revolved around AI — not as a futuristic problem, but as a very present privacy challenge. In the sessions “Generative AI & Privacy: Risks, Realities, and the Road Ahead” and “Staying Ahead of AI and Global Privacy Regulation,” speakers from across industries explored how AI is reshaping the relationship between data, privacy, and accountability.
Panelists including Whitney Merrill, Head of Data Protection, Privacy, and Compliance at Asana, Jason Clinton, Deputy CISO at Anthropic, and Sunil Agrawal, Chief Security Officer at Glean described a new tension: AI systems are generating value from data faster than traditional privacy frameworks can respond. With models learning from vast datasets, privacy leaders must rethink what responsible data use actually looks like. As Merrill noted, “Employees will find a path to use it in some way — and if they don’t like it, they’re going to find a path to use something else.” Organizations must therefore “set out guardrails to protect the confidential data that is in your company,” focusing on mitigating risk while still enabling innovation.
The conversation repeatedly returned to a central point: no single department can manage AI privacy risks alone. Compliance teams need to collaborate with engineers and data scientists to ensure that privacy guardrails are built directly into model design. Legal teams must be conversant in machine learning concepts. And executives must invest in AI governance tools that balance innovation with oversight.
This theme connected directly to a broader trend: 73% of DSRs now come from regions without privacy laws.
Consumers everywhere — regardless of jurisdiction — are signaling that they expect transparency and control. That means global organizations can’t rely on local law to define their responsibility. Instead, they must build privacy programs that scale ethically and globally.
As Gabriela Zanfir-Fortuna, Vice President for Global Privacy, Future of Privacy Forum and Omer Tene, Partner at Goodwin discussed in the global regulation panel, privacy has entered a borderless phase. The companies that succeed in this new reality will be those that treat AI ethics and privacy as two sides of the same coin — using governance, culture, and technology to ensure that innovation doesn’t outpace integrity.
Takeaway 3: Automation and Transparency Are Reshaping Privacy Operations
If the first half of the summit focused on policy and ethics, the second half was all about action — specifically, how to operationalize privacy in an environment where manual compliance simply can’t keep up.
In the DataGrail Product Spotlight, Eric Brinkman and Lisa Wang demonstrated how automation and AI are transforming privacy management from reactive workflows into real-time intelligence. “The question isn’t whether AI increases our risk — it’s how we use it responsibly to reduce it,” Brinkman said, framing automation as both a necessity and an opportunity.
During the Product Spotlight, DataGrail introduced Risk Register. As privacy regulations and your tech stack get more complex, you need a smarter way to track and manage privacy risks. Risk Register gives you the ability to document, track, and manage risks across your organization within a single searchable hub.
From the “Privacy in Action” panel — featuring Anna Rogers, Senior Privacy Analyst at nCino, Randy Wood, Vice President & Associate General Counsel at Cricut and Jennifer Miller, Data Privacy Associate at Dykema — to the peer-to-peer career breakout discussions led by Adrienne Komogorov, Senior Associate Counsel at Poppulo and Steve Irlbacher, Associate General Counsel at LastPass, each underscored that automation must go hand-in-hand with human accountability. Technology can streamline compliance, but true transparency requires education, communication, and a culture of privacy-first thinking.
Looking Ahead: Privacy as a Strategic Advantage
If 2024 was about adapting to change, 2025 is about owning it. Privacy has evolved into a strategic discipline — one that unites people, processes, and technology to build trust and mitigate risk.
This year’s Privacy Risk Summit showed that forward-thinking organizations aren’t just complying with regulations; they’re redefining what responsible data stewardship looks like. They’re investing in automation, strengthening cross-functional collaboration, and treating privacy as a shared company value.
As global regulations tighten and consumers demand more control, DataGrail remains committed to helping businesses lead with confidence — enabling them to stay compliant, build trust, and thrive in a privacy-first future.
Missed the event? Watch the full session recordings here and keep an eye on our socials for speaker takeaways, and exclusive insights from the 2025 Privacy Risk Summit.
Continue the Discussion
Are you passionate about privacy, legal, or security issues? Want to connect with like-minded professionals and stay ahead in a rapidly evolving landscape? Become a member of our Privacy Community!
We’ve got everything from privacy law updates to career tips, monthly privacy huddles, and exclusive resources tailored for the privacy community. Don’t miss out on the chance to be part of a vibrant network committed to advancing data privacy.
