Introduction

Formula 1 is a sport where nothing stays still for long.

The car that dominates one season can be made obsolete by a change to the rulebook the next. Calls that once took race control an afternoon of deliberation now have to be made in the seconds it takes a field of cars to reach the next corner and stewards, tasked with reviewing those same incidents, are expected to keep pace. For most of the sport's history, the team with the deepest pockets won. The cost cap changed that. Now that spending is constrained, the advantage sits with whoever reads the conditions correctly and commits before anyone else does.

That, increasingly is the world the modern Data Protection Officer is working in.

For most of the role's short history, the DPO had a settled rhythm. The regulations were broadly known, the pace was manageable and the work was largely one of careful review, assess the processing, sign off the DPIA, hold the line. AI has changed the tempo. Capabilities that used to take months to procure now arrive in an afternoon, often deployed by people who never thought to ask. The regulatory ground is moving under everyone at once. As broadly the same tools are now available to every organisation at broadly the same price, the advantage no longer sits with whoever has the most resource. It sits with whoever brings the better judgment to the same information.

Formula 1 offers a useful way to think about all of this, because it has always been a contest between three roles with distinct authority and shared accountability. The driver working at the limit of what is possible, the pit wall making the real-time calls on strategy and the steward enforcing the regulations. Map those onto an organisation deploying AI and a lot of the current confusion comes into focus, including the question of who is actually accountable when something goes wrong.

This briefing presents eleven observations drawn from our experience of supporting organisations through AI adoption. Each pairs a broader market or technology trend with the specific data privacy considerations that accompany it. The intention is not to prescribe actions or to suggest that any of these areas are necessarily gaps. Many privacy teams will already have strong positions on several of these points. The aim is to surface the themes we believe will shape the DPO's agenda over the next 12 to 18 months and to offer a framework for thinking about them. Each section is designed to stand alone as a discussion point, suitable for a breakfast session, a team discussion, or the basis for a longer exploration of any individual topic.

A word on tone. The pace of AI development invites two equally unhelpful responses, uncritical enthusiasm and paralysing anxiety. This briefing aims for neither. If there is a word for what we are advocating, it might be apocaloptimism, a clear-eyed recognition that AI is disrupting established roles, business models and governance assumptions, combined with a genuine conviction that data privacy professionals are better positioned to navigate this disruption than almost anyone else in the organisation. You already understand data flows, risk assessment, proportionality and accountability. Those are exactly the competencies this moment demands.

The through-line is simple. The teams extracting real value from AI are not the ones with the most expensive kit. They are the ones who did the preparation, understood the track and learned to make good calls at speed.