New Changes to GDPR Proposed: An Indication of Shifting Policy Priorities?

Posted
By and

GDPR-1497956947-300x300The European Commission’s proposed amendments to the General Data Protection Regulation (GDPR) mark the first substantive reworking of the regulation since its enactment, signaling a material shift toward economic pragmatism. These changes warrant close attention not only for what they include, but also for what they omit.

The Proposed Changes
On May 21, 2025, the European Commission published proposed amendments to the GDPR as part of its “Simplification Omnibus IV” package. The centerpiece of the GDPR proposal is a revised Article 30(5), which would remove the obligation for some small and medium-sized enterprises (SMEs) and small mid-cap enterprises (SMCs) (i.e., organizations which have outgrown the SME designation) to maintain records of processing activities.

These record-keeping obligations require, among other things, for the purpose and categories of processing of personal data to be recorded. Under the current regime, the Article 30(5) exemption applies only to organizations employing fewer than 250 employees and where the processing is (i) “occasional,” (ii) does not include special category data, and (iii) is unlikely to pose a risk to the rights and freedoms of data subjects.

The new proposal simplifies these qualifiers and lowers the threshold—eliminating the record-keeping obligations for organizations with fewer than 750 employees, so long as the processing activities are not likely to result in a “high risk” to data subjects’ rights and freedoms.

While less likely to impact businesses day to day, the proposals also extend the scope of Articles 40 and 42 GDPR (concerning codes of conduct and certification mechanisms) to ensure that sector-specific needs of SMCs (and not just SMEs) are taken into account in the development of codes of conduct and issuance of data protection certifications and seals.

Background and Strategic Context
The current proposals can be understood as a direct response to pressure from a wide range of stakeholders, particularly in relation to the perceived compliance burdens faced by smaller companies. The “Simplification Omnibus” is part of a broader recalibration by the Commission following the 2024 Draghi Report on EU Competitiveness, which urged the EU to reduce regulatory drag as part of a competitiveness agenda. Beyond data protection, the Commission has recently pursued simplification in areas such as sustainability reporting and ESG disclosure obligations, all framed as efforts to streamline compliance while safeguarding core policy objectives.

The specific GDPR reform proposal follows months of speculation and commentary regarding the EU’s regulatory posture. Although the GDPR has long been held out as the global “gold standard” for privacy law, criticism has been growing, including claims that its enforcement has become ideologically captured by privacy absolutism, often to the detriment of other fundamental rights and economic imperatives. While this change will be a welcome one for smaller organizations, its scale and scope is arguably restrained. Broader reforms such as introducing a “tiered” GDPR application, or relaxed requirements for data protection impact assessments, for example, appear to have been sidelined for the meantime in favor of a more cautious, and possibly incremental, approach to reform.

Enforcement Reform: a Parallel Track
While the May 2025 proposal focuses on compliance burdens for smaller organizations in an effort to boost EU competitiveness, broader enforcement reform remains under active negotiation in the form of the GDPR Procedural Regulation, a legislative proposal dating back to 2023 which aims to establish clearer procedural rules for cooperation between national supervisory authorities, improving the consistency and efficiency of cross-border enforcement. However, the reform process has been sluggish and unproductive and has even been criticized as contradictory to the EU’s simplification agenda. At the moment, the future of these procedural reforms is unclear.

A Tactical Adjustment, Not a Regulatory Retreat
The May 2025 GDPR reforms are significant not because they rewrite the foundational principles of EU data protection, but because they demonstrate political willingness to recalibrate, signalling a shift from absolutism to pragmatism. While broader procedural reform remains uncertain, the direction of travel is clear: the GDPR is entering a new phase—one shaped as much by economic realism as by fundamental rights orthodoxy.

For insights on these evolving topics, please visit our GDPR Practice page.

The authors would like to thank trainee solicitor Samson Verebes for his contributions to this blog.