Seven years after the General Data Protection Regulation (GDPR) came into force, the European Commission has outlined sweeping reforms that could reshape the privacy landscape across Europe. While still at the proposal stage, these ‘Omnibus’ changes are advancing quickly through the EU legislative process and are widely expected to pass. Trilogue negotiations on some elements have already taken place in May 2025, and further “simplification” efforts are already being signalled.
These aren’t just tweaks, but the most significant changes to the GDPR since its inception, aimed at slashing red tape, easing burdens on small and mid-sized businesses, and fixing the fragmented enforcement that has plagued the law since 2018.
And this may only be the beginning. The Commission has already floated the idea of broader “consolidation” of digital legislation, with further changes to the GDPR likely in future to accommodate emerging technologies like AI.
Amidst significant uncertainty about the future of GDPR, the only guarantee is that these changes are but the beginning. As we saw recently with the gutting of the EU’s sustainability rules following the EU 2024 Parliamentary elections, this EU Commission is committed to making significant changes.
Simplification for SMEs and mid-caps
The Commission is introducing a tiered compliance framework based on company size and data risk. Reporting exemptions currently reserved for companies with fewer than 250 employees will be expanded to include those with up to 500, and in some proposals even 750 employees.
- No record-keeping required unless processing is “high risk” (e.g. biometric data, location tracking, AI-based profiling).
- No Data Protection Officer (DPO) requirement for smaller organisations.
- Lower fines, capped at €500,000 for smaller businesses—down from the standard €20 million or 4% of annual turnover.
Practical impact:
For a 300-person software company using location data, a data impact assessment may still be necessary. But a 400-person retail chain not engaging in high-risk processing might avoid most documentation requirements entirely.
✅ Action point: Review your organisation’s data processing activities. If you’re under 750 employees and not conducting high-risk processing, your documentation and reporting requirements could be substantially reduced by 2026–2027.
Overhaul of enforcement procedures
A separate Procedural Regulation is in the process of being finalised to harmonise cross-border GDPR enforcement. But rather than streamlining, the proposal introduces multiple additional steps, each with its own timeline.
- 7 months just for the initial planning phase.
- 4 months for final decision-making.
- Investigations themselves still have no fixed deadline, potentially dragging enforcement timelines beyond 2–3 years per case.
- Regulation won’t apply until 2027, with the first cases under the new timeline likely concluding no earlier than 2029.
Practical impact:
Delays in decisions from data protection authorities may impact legal certainty for ongoing processing operations, especially in multi-jurisdictional contexts.
✅ Action point: Map your cross-border processing and anticipate longer timelines for regulator response or enforcement. Build this uncertainty into your compliance and risk mitigation strategies.
Shift from uniformity to risk-based compliance
Reform efforts increasingly favour a risk-based model, adjusting compliance requirements based on the nature of processing rather than a uniform set of obligations.
- Routine processing by small firms = fewer obligations.
- High-risk processing (regardless of company size) = full GDPR compliance still applies.
- Possible future consolidation of GDPR with other digital laws like the AI Act and the Data Governance Act.
Practical impact:
An SME offering facial recognition software would still be bound by full compliance rules, while a low-risk marketing firm could operate with significantly less administrative burden.
✅ Action point: Reassess your DPIAs and risk registers to align with the expected move toward proportionality. Don’t assume smaller size alone exempts you from obligations.
Digital procedures still not harmonised
Despite years of promises, a centralised digital case management system is not being introduced. Most documentation will still be manually shared between over 40 data protection authorities.
- Case files remain fragmented.
- Documents must often be produced in multiple versions for different parties.
- Users face more procedural barriers than companies in lodging or responding to complaints.
Practical impact:
Businesses will need to keep investing in bespoke documentation and internal systems for regulatory engagement, especially in cross-border contexts.
✅ Action point: Continue investing in compliance infrastructure. A lack of harmonised systems means your internal tracking must be watertight—especially for audit trails and communications with regulators.
User rights deprioritised in enforcement
The procedural reforms tip the balance toward company rights over user rights.
- Companies get a “right to be heard”; users only have an “opportunity to submit views”.
- Corporate respondents can access case files directly; users face geographic and procedural hurdles to do the same.
- Enforcement law defaults to the company’s Member State, not the complainant’s.
Practical impact:
This could result in more favourable enforcement conditions for businesses, but it also opens the door to uneven enforcement and reputational risk from perceived unfairness.
✅ Action point: Stay vigilant on transparency and ethical data handling. Even if regulatory exposure decreases, reputational and consumer trust risks remain.
Timeline for Implementation
| Change | Timeline |
| Mid-cap exemptions | 2025–2026 (via Omnibus IV package) |
| Procedural regulation enforcement | Likely 2027 onwards |
| First case deadlines under new rules | Possibly 2029 |
✅ Action point: Begin scenario planning for GDPR 2.0. The reforms are not just legislative—organisations should reassess governance structures, roles, and vendor due diligence practices.
