Seven years after the Normal Knowledge Safety Regulation (GDPR) got here into drive, the European Fee has outlined sweeping reforms that would reshape the privateness panorama throughout Europe. Whereas nonetheless on the proposal stage, these ‘Omnibus’ modifications are advancing rapidly by way of the EU legislative course of and are broadly anticipated to cross. Trilogue negotiations on some parts have already taken place in Could 2025, and additional “simplification” efforts are already being signalled.
These aren’t simply tweaks, however the most vital modifications to the GDPR since its inception, geared toward slashing purple tape, easing burdens on small and mid-sized companies, and fixing the fragmented enforcement that has plagued the legislation since 2018.
And this will likely solely be the start. The Fee has already floated the thought of broader “consolidation” of digital laws, with additional modifications to the GDPR probably in future to accommodate rising applied sciences like AI.
Amidst vital uncertainty about the way forward for GDPR, the one assure is that these modifications are however the starting. As we noticed not too long ago with the gutting of the EU’s sustainability guidelines following the EU 2024 Parliamentary elections, this EU Fee is dedicated to creating vital modifications.
Simplification for SMEs and mid-caps
The Fee is introducing a tiered compliance framework primarily based on firm dimension and knowledge threat. Reporting exemptions at present reserved for firms with fewer than 250 workers might be expanded to incorporate these with as much as 500, and in some proposals even 750 workers.
- No record-keeping required except processing is “excessive threat” (e.g. biometric knowledge, location monitoring, AI-based profiling).
- No Knowledge Safety Officer (DPO) requirement for smaller organisations.
- Decrease fines, capped at €500,000 for smaller companies—down from the usual €20 million or 4% of annual turnover.
Sensible influence:
For a 300-person software program firm utilizing location knowledge, a knowledge influence evaluation should be needed. However a 400-person retail chain not participating in high-risk processing would possibly keep away from most documentation necessities totally.
✅ Motion level: Assessment your organisation’s knowledge processing actions. If you happen to’re beneath 750 workers and never conducting high-risk processing, your documentation and reporting necessities might be considerably lowered by 2026–2027.
Overhaul of enforcement procedures
A separate Procedural Regulation is within the means of being finalised to harmonise cross-border GDPR enforcement. However reasonably than streamlining, the proposal introduces a number of extra steps, every with its personal timeline.
- 7 months only for the preliminary planning part.
- 4 months for remaining decision-making.
- Investigations themselves nonetheless have no mounted deadline, probably dragging enforcement timelines past 2–3 years per case.
- Regulation gained’t apply till 2027, with the primary circumstances beneath the brand new timeline probably concluding no sooner than 2029.
Sensible influence:
Delays in selections from knowledge safety authorities might influence authorized certainty for ongoing processing operations, particularly in multi-jurisdictional contexts.
✅ Motion level: Map your cross-border processing and anticipate longer timelines for regulator response or enforcement. Construct this uncertainty into your compliance and threat mitigation methods.
Shift from uniformity to risk-based compliance
Reform efforts more and more favour a risk-based mannequin, adjusting compliance necessities primarily based on the nature of processing reasonably than a uniform set of obligations.
- Routine processing by small corporations = fewer obligations.
- Excessive-risk processing (no matter firm dimension) = full GDPR compliance nonetheless applies.
- Attainable future consolidation of GDPR with different digital legal guidelines just like the AI Act and the Knowledge Governance Act.
Sensible influence:
An SME providing facial recognition software program would nonetheless be sure by full compliance guidelines, whereas a low-risk advertising and marketing agency may function with considerably much less administrative burden.
✅ Motion level: Reassess your DPIAs and threat registers to align with the anticipated transfer towards proportionality. Don’t assume smaller dimension alone exempts you from obligations.
Digital procedures nonetheless not harmonised
Regardless of years of guarantees, a centralised digital case administration system is not being launched. Most documentation will nonetheless be manually shared between over 40 knowledge safety authorities.
- Case recordsdata stay fragmented.
- Paperwork should typically be produced in a number of variations for various events.
- Customers face extra procedural boundaries than firms in lodging or responding to complaints.
Sensible influence:
Companies might want to hold investing in bespoke documentation and inside methods for regulatory engagement, particularly in cross-border contexts.
✅ Motion level: Proceed investing in compliance infrastructure. An absence of harmonised methods means your inside monitoring have to be watertight—particularly for audit trails and communications with regulators.
User rights deprioritised in enforcement
The procedural reforms tip the stability towards firm rights over consumer rights.
- Firms get a “proper to be heard”; customers solely have an “alternative to submit views”.
- Company respondents can entry case recordsdata straight; customers face geographic and procedural hurdles to do the identical.
- Enforcement legislation defaults to the firm’s Member State, not the complainant’s.
Sensible influence:
This might end in extra beneficial enforcement situations for companies, but it surely additionally opens the door to uneven enforcement and reputational threat from perceived unfairness.
✅ Motion level: Keep vigilant on transparency and moral knowledge dealing with. Even when regulatory publicity decreases, reputational and client belief dangers stay.
Timeline for Implementation
| Change | Timeline |
| Mid-cap exemptions | 2025–2026 (through Omnibus IV bundle) |
| Procedural regulation enforcement | Seemingly 2027 onwards |
| First case deadlines beneath new guidelines | Presumably 2029 |
✅ Motion level: Start state of affairs planning for GDPR 2.0. The reforms usually are not simply legislative—organisations ought to reassess governance buildings, roles, and vendor due diligence practices.
Seven years after the Normal Knowledge Safety Regulation (GDPR) got here into drive, the European Fee has outlined sweeping reforms that would reshape the privateness panorama throughout Europe. Whereas nonetheless on the proposal stage, these ‘Omnibus’ modifications are advancing rapidly by way of the EU legislative course of and are broadly anticipated to cross. Trilogue negotiations on some parts have already taken place in Could 2025, and additional “simplification” efforts are already being signalled.
These aren’t simply tweaks, however the most vital modifications to the GDPR since its inception, geared toward slashing purple tape, easing burdens on small and mid-sized companies, and fixing the fragmented enforcement that has plagued the legislation since 2018.
And this will likely solely be the start. The Fee has already floated the thought of broader “consolidation” of digital laws, with additional modifications to the GDPR probably in future to accommodate rising applied sciences like AI.
Amidst vital uncertainty about the way forward for GDPR, the one assure is that these modifications are however the starting. As we noticed not too long ago with the gutting of the EU’s sustainability guidelines following the EU 2024 Parliamentary elections, this EU Fee is dedicated to creating vital modifications.
Simplification for SMEs and mid-caps
The Fee is introducing a tiered compliance framework primarily based on firm dimension and knowledge threat. Reporting exemptions at present reserved for firms with fewer than 250 workers might be expanded to incorporate these with as much as 500, and in some proposals even 750 workers.
- No record-keeping required except processing is “excessive threat” (e.g. biometric knowledge, location monitoring, AI-based profiling).
- No Knowledge Safety Officer (DPO) requirement for smaller organisations.
- Decrease fines, capped at €500,000 for smaller companies—down from the usual €20 million or 4% of annual turnover.
Sensible influence:
For a 300-person software program firm utilizing location knowledge, a knowledge influence evaluation should be needed. However a 400-person retail chain not participating in high-risk processing would possibly keep away from most documentation necessities totally.
✅ Motion level: Assessment your organisation’s knowledge processing actions. If you happen to’re beneath 750 workers and never conducting high-risk processing, your documentation and reporting necessities might be considerably lowered by 2026–2027.
Overhaul of enforcement procedures
A separate Procedural Regulation is within the means of being finalised to harmonise cross-border GDPR enforcement. However reasonably than streamlining, the proposal introduces a number of extra steps, every with its personal timeline.
- 7 months only for the preliminary planning part.
- 4 months for remaining decision-making.
- Investigations themselves nonetheless have no mounted deadline, probably dragging enforcement timelines past 2–3 years per case.
- Regulation gained’t apply till 2027, with the primary circumstances beneath the brand new timeline probably concluding no sooner than 2029.
Sensible influence:
Delays in selections from knowledge safety authorities might influence authorized certainty for ongoing processing operations, particularly in multi-jurisdictional contexts.
✅ Motion level: Map your cross-border processing and anticipate longer timelines for regulator response or enforcement. Construct this uncertainty into your compliance and threat mitigation methods.
Shift from uniformity to risk-based compliance
Reform efforts more and more favour a risk-based mannequin, adjusting compliance necessities primarily based on the nature of processing reasonably than a uniform set of obligations.
- Routine processing by small corporations = fewer obligations.
- Excessive-risk processing (no matter firm dimension) = full GDPR compliance nonetheless applies.
- Attainable future consolidation of GDPR with different digital legal guidelines just like the AI Act and the Knowledge Governance Act.
Sensible influence:
An SME providing facial recognition software program would nonetheless be sure by full compliance guidelines, whereas a low-risk advertising and marketing agency may function with considerably much less administrative burden.
✅ Motion level: Reassess your DPIAs and threat registers to align with the anticipated transfer towards proportionality. Don’t assume smaller dimension alone exempts you from obligations.
Digital procedures nonetheless not harmonised
Regardless of years of guarantees, a centralised digital case administration system is not being launched. Most documentation will nonetheless be manually shared between over 40 knowledge safety authorities.
- Case recordsdata stay fragmented.
- Paperwork should typically be produced in a number of variations for various events.
- Customers face extra procedural boundaries than firms in lodging or responding to complaints.
Sensible influence:
Companies might want to hold investing in bespoke documentation and inside methods for regulatory engagement, particularly in cross-border contexts.
✅ Motion level: Proceed investing in compliance infrastructure. An absence of harmonised methods means your inside monitoring have to be watertight—particularly for audit trails and communications with regulators.
User rights deprioritised in enforcement
The procedural reforms tip the stability towards firm rights over consumer rights.
- Firms get a “proper to be heard”; customers solely have an “alternative to submit views”.
- Company respondents can entry case recordsdata straight; customers face geographic and procedural hurdles to do the identical.
- Enforcement legislation defaults to the firm’s Member State, not the complainant’s.
Sensible influence:
This might end in extra beneficial enforcement situations for companies, but it surely additionally opens the door to uneven enforcement and reputational threat from perceived unfairness.
✅ Motion level: Keep vigilant on transparency and moral knowledge dealing with. Even when regulatory publicity decreases, reputational and client belief dangers stay.
Timeline for Implementation
| Change | Timeline |
| Mid-cap exemptions | 2025–2026 (through Omnibus IV bundle) |
| Procedural regulation enforcement | Seemingly 2027 onwards |
| First case deadlines beneath new guidelines | Presumably 2029 |
✅ Motion level: Start state of affairs planning for GDPR 2.0. The reforms usually are not simply legislative—organisations ought to reassess governance buildings, roles, and vendor due diligence practices.
