The European Union has announced plans to simplify the GDPR. There isn’t currently much detail, but what we do know is that it’s part of the general drive to simplify digital regulation. As a result, the programme of work also covers a review of the AI Act and cyber security regulations.
It seems that the main aim of the simplified regulations is to reduce the paperwork burden on organisations with fewer than 500 employees. At the moment, these rules apply to organisations with under 250 employees.
So what could that mean? Changes may include:
- Removing the requirement to maintain records of processing activities for non-core activities. This will let more organisations follow existing rules for smaller businesses.
- Removing or reducing Data Protection Impact Assessment requirements for situations where organisations just don’t have the bargaining power to make any meaningful changes to the terms offered. Regulators will take on the burden of conducting those negotiations instead.
- Following a similar approach to the UK’s Data (Use and Access) Bill. The EU may publish a list of legitimate interests deemed compatible with the original purposes of collection to simplify the legitimate interest assessment process.
- Reducing transparency requirements, with more information available on request. Or conversely, requiring more information in privacy notices and making less available on request. The EU may achieve this by removing the requirement to include transparency information with subject access request responses where it is already publicly available.
- Removing the need to collect consent for more categories of cookies, similar to the Data (Use and Access) approach, which will remove the need to collect consent for ‘low risk’ cookies for advertising and website analytics.
- Encouraging the use of Codes to make it simpler for organisations to understand how to meet their obligations.
- Reducing the compliance burden on organisations that are Code signatories, perhaps by reducing their transparency requirements in areas governed by Codes to reduce double working.
Why is the EU introducing the GDPR simplification?
The overall goal for any changes the EU makes is to improve productivity, innovation and economic growth. The focus on data protection and cyber security simplification is likely to be at least in part driven by a desire to make sure that AI innovation gets off the ground. Strategically, countries are jostling for position to be leaders in AI in hopes that an organisation in their country will be the ‘next Google’, bringing in tax receipts to match. Experts quoted in a Tech Policy analysis of the changes1 noted that access to capital is likely a bigger drag than regulation. We must hope that the EU focuses at least as much on encouraging investment as on reducing paperwork.
It’s likely to be a while before any announcements are made. These things take time and, as noted above, many of the options are included in the Data (Use and Access) Bill. Lawmakers may choose to wait and see what impact they make in the UK before deciding what changes to make across the EU. The UK government says, “the Data (Use and Access) Bill will bring an estimated £10 billion boost to the UK economy across 10 years” by “improving the way consumers, businesses and asset owners can safely share data”. It includes more than just paperwork reductions to do that, and frankly the estimate is generally considered quite optimistic. We will see quite quickly whether organisations move to take advantage of the new opportunities or not.
As always, the world of data protection continues to evolve and keep privacy professionals on our toes!
Footnote
1 What’s Behind Europe’s Push To “Simplify” Tech Regulation?, Ramsha Jahangir, Tech Policy. Press, 24 April 2025
