As data privacy regulations tighten and public scrutiny intensifies, organizations are reassessing how they manage digital risk. For risk managers, the challenge now extends beyond compliance to sustaining operational resilience and protecting long-term value.
Sonia Cheng, senior managing director at FTI Consulting, says the escalating demands of data privacy compliance are reshaping how organisations, particularly risk managers, think about resilience.
As privacy regulation, litigation, and enforcement converge, she believes that risk leaders must now address privacy not only as a compliance function but as a critical component of broader enterprise risk management.
“Keeping pace with regulatory, consumer and shareholder expectations for data privacy, organisations face the perfect storm of privacy challenges amidst a rapidly evolving landscape in 2025,” Cheng said. “Twenty states in the US are now enforcing comprehensive privacy legislation, while state attorneys general are ramping up enforcement efforts, and privacy-related class actions are surging with novel legal theories being tested across jurisdictions.”
For risk managers, digital risk is no longer siloed within IT or legal teams. Cheng points out that many businesses still lack full visibility into data tracking activities across their digital environments, exposing them to potential liabilities.
“Organisations face significant risks when their websites contain pixels transmitting user data without proper consent – often unaware of all tracking technologies deployed across their digital estate,” she said.
Cheng explains that even rigorous internal compliance is not enough if third-party partners are involved. Under GDPR and UK frameworks, she notes that organisations remain liable for the actions of partners with whom they share controller status.
“Even when an organisation maintains compliance, joint controllers’ failures can trigger regulatory investigations directed at the organisation’s operations,” Cheng said.
For those managing enterprise risk, Cheng outlines the concept of privacy resilience as a crucial framework.
“Privacy resilience is an organisation’s ability to withstand, adapt and recover from adverse privacy events, whether regulatory inquiries or enforcement, legislation, lawsuits or public scrutiny,” she said. “It encompasses more than just strong data protection mechanisms; it includes flexibility — the capacity to adapt to new regulations, technologies and unforeseen incidents with minimal disruption.”
Equally important, according to Cheng, is the ability to maintain and rebuild stakeholder trust.
“Trust resilience involves maintaining and regaining stakeholder trust through consistent actions and transparent practices,” she said. “During and following crises, organisations with strong trust foundations retain loyalty and support.”
“A 2024 study found that 94% of organisations say their customers won’t buy from them if data is not properly protected,” she said. In her view, risk professionals need to account for how quickly operational failures in data protection can evolve into reputational and financial liabilities.
Response strategies during a privacy incident must also be handled with care. Cheng warns that poorly managed communications can intensify the damage.
“Consider the messaging missteps when organisations discover analytics trackers that are transmitting sensitive user information to third parties without proper consent,” she said. “Organisations that immediately respond with ‘we take privacy seriously’ platitudes while failing to address the specific concern often amplify the crisis.”
Financial implications of privacy failures extend across several dimensions. Risk leaders must assess the exposure of core business functions to privacy-related disruption and take steps to mitigate that impact.
“Immersive digital experiences, from augmented shopping interfaces to personalised financial dashboards, now generate significant portions of organisational revenue,” she said. “When privacy failures compromise these experiences, revenue immediately suffers.”
For risk managers overseeing regulatory compliance portfolios, Cheng highlights emerging legal frameworks, particularly those tied to artificial intelligence.
“Continually changing and emerging laws and regulations, particularly those related to artificial intelligence, necessitate operational adjustments for organisations,” she said. She notes that such changes can delay strategic initiatives and increase scrutiny of a firm’s data governance practices.
“These requirements place increased pressure and resource demands on privacy stakeholders, legal, business teams, IT, customer operations and risk management teams,” Cheng added. “Taking a holistic approach to managing digital risk is crucial for minimising regulatory change impacts.”
Third-party relationships present another key risk exposure. Cheng notes that organisations must evaluate their vendor ecosystems for privacy continuity.
“The sudden loss of a critical vendor’s functionality can result in service disruption and subsequently damage reputations,” she said. These risks may arise from legal disputes, regulatory non-compliance or post-acquisition contract changes that limit data access.
To mitigate litigation and regulatory exposure, Cheng said proactive governance is essential. This includes robust documentation, defined response protocols, and the integration of privacy into risk management planning.
“Demonstrating a good data privacy stewardship is easier when proactive measures are in place, allowing organisations to defend their practices effectively under scrutiny,” she said.
“The path to privacy and trust resilience begins with honest leadership conversations about readiness, culture and objectives,” Cheng said. “Leaders need to assess whether their existing practices pose gaps that could expose the organisation to unnecessary risks.”
Cheng also highlights the strategic role of privacy is expanding, particularly for risk executives tasked with sustaining enterprise resilience.
“By building robust, flexible privacy capabilities and maintaining trust through transparency and proactive planning, organisations are better positioned to navigate crises and thrive in an evolving regulatory and market landscape,” she said.
What are your thoughts on this story? Please feel free to share your comments below.
