At a buzzing 2025 iteration of the IAPP EU Data Congress, the GRIP team spoke to Isabelle about some of the key challenges facing professionals working at the intersection of data, privacy and technology.

The conference was made zestier by the release of the EU’s digital omnibus. Roccia pointed out that the complexity of EU regulation “is something that is coming up as a key challenge across all sectors and functions in the IAPP community.” It is not only the sheer number of EU rules that is creating issues, but also the fact that “many of the rules are overlapping, some are conflicting, while others are complementary.”

When “even the objectives can sometimes vary and be at odds with one another, the process of navigating the landscape becomes challenging,” she said. A good example of this is the conflict between GDPR and the AI Act.

One of the underpinning principles of GDPR is “data minimization – collect what you need, retain for a period needed,” but “translating this into an AI context is extremely challenging. Because to train an AI engine there is a need to have access to a volume of data that is on a different scale.” And then other critical questions arise, such as: “What is the legal basis for processing that data? What constitutes legitimate interest? How does legitimate interest apply in the AI context?”

“Only a small proportion of respondents feel confidence in their ability to comply effectively.”

Isabelle Roccia

Roccia was keen to emphasize that, from a business and compliance standpoint, the rules are also just a place from which to start, because “you also have to add jurisprudence from the courts, guidance from regulators, and enforcement actions as well” – each of these influencing both interpretation and implementation.

The IAPP’s EU Digital Laws Report 2025 surveyed its professional membership about their confidence in being able to comply with the various rules that the EU has recently promulgated (for example, the AI Act, DMA, NIS2, etc). According to Roccia, the findings are evidence of the fact that only “a small proportion of respondents feel confidence in their ability to comply effectively” and that they raise questions about “what the [professional] community needs from regulators and legislators to deliver on their expectations and outcomes.”

This is something that the IAPP is looking at closely on behalf of its membership, specifically trying to get a more accurate sense of what this landscape looks like in order to help members effectively navigate it. Roccia suggested that one of the things that regulators should consider when drawing up policy is “the people working on its implementation.” She said the IAPP is policy neutral, but will “encourage clarity that empowers people to do their job.” The community of professionals wants “certainty on what the rules are and how they apply.”

Privacy and data protection

Our conversation moves swiftly on to those very people – the IAPP membership. Originally the core mission of these professionals was focused on privacy and data protection, but “fast forward to today, there has been a real expansion of the profession both in terms of breadth and depth in having to cater to digital domains that go well beyond privacy. The most visible part of the iceberg illustrating this trend has been AI.”

The result is that there has been “a real evolution in the roles and missions that our membership has to work on, expanding what was largely a privacy portfolio and having responsibility for emerging issues like AI governance, or online safety or even competition.”

This evolution has been driven by big changes in “the regulatory environment and legislative landscape, themselves a consequence of the growth and deployment of new technologies and the adoption of their use by wider society.”

According to Roccia, this is another key area that the IAPP has been looking at in addition to regulatory complexity: “How do organizations and professionals deal with this expanded remit? What are its implications on how firms organize their governance and compliance functions?” Answers to these questions “will have an impact on how organizations look at data compliance and governance going forward.”

The impact on the profession is not to be underestimated, she pointed out. “The DPO has traditionally been one role that is identified as one that organizations need” and it is “often these [data protection] teams that find themselves in a default position to be the interlocutor around AI governance questions.”

For Roccia, this is partly the consequence of “the maturity of privacy functions” which “make them a good starting place for organizations to think about what it is that they want to do in this area of governance.” She was at pains to stress that this does not necessarily imply that “the data protection function should at all times be the lead or the host of the AI governance function” but that the function has “a lot to bring to enable an organization to think through the AI governance issues.”

She thought that while it is impressive that “a large proportion of organizations polled by the IAPP have reported having a governance-first approach to the deployment of AI”, even the regulators “have been candid about the level of challenge AI represents in terms of finding adequate talent.”

“The vast majority of privacy legislation is rooted in a very common set of principles: consent, transparency, legal basis for processing.”

Isabelle Roccia

We asked about crossborder data transfers and the concept of data sovereignty, which was a hot topic overheard in many conversations around the vast venue.

Roccia firmly emphasized that “setting geopolitics aside, the vast majority of privacy legislation is rooted in a very common set of principles: consent, transparency, legal basis for processing” and that “these are principles that are well-established and still have relevance today.” These shared principles also mean that the “expansion of the notion of comprehensive privacy legislation has really taken off in the last few decades” since the advent of GDPR and now “90% of the world’s population is covered by some form of privacy legislation.”

She continued: “There is obviously a lot of nuance, because diverse cultural backgrounds, diverse legal frameworks and regimes apply” and “geopolitics plays a more prominent role in the discussions that feed into how privacy work is being conducted.” But while the regimes, including those of the EU and US, “may look very different, underlying these are actually some very similar objectives.”

The need to empower the law enforcement community and protect national security while making sure that fundamental rights remain protected is a topic “that keeps resurfacing” and one where “not everyone is confident that the EU has found the right balance.” It is “important to dissociate the political discourse from what is happening in practice” and, according to Roccia, “this is where we also see regulators embracing the need to remain pragmatic.”

Technological change

As our conversation drew to a close, Roccia mused on the career choices that led her to becoming a privacy professional and managing director. “I came to work on privacy a bit by chance. I was not in the field when I was working; I came in the door through cybersecurity where I started working on EU digital policy. And that led me to work on data privacy, but also other issues like data transfers, data security. Being in those areas I came across the IAPP and here I am.”

And there is a lesson in this dynamic career, set against a backdrop of rapid technological change, for younger professionals who may be daunted by the emergence and adoption of AI. Roccia says that with AI “already deployed in our work and personal lives without us actually realizing this” the “community is increasingly acting as an enabler of the good that may actually come” and is “moving away from being purely focused on compliance to engaging with governance and enabling business with DPOs working directly with boards, and the increasing frequency of chief trust officers at organizations.”

This evolution in titles and job descriptions is coupled with and reflects the broader remit that privacy professionals now have and represents real opportunity to those considering a career in this field.