What is the EU changing with their GDPR simplification?

-

A simplified GDPR was recently announced by the European Union. While concrete details are currently not finalised, we do know that it’s part of the general drive to simplify digital regulation. 

As a result, the programme of work also covers a review of the AI Act and cyber security regulations. The main aim of the simplified regulations is to be reducing the paperwork burden on organisations with fewer than 500 employees. These rules currently apply to organisations with under 250 employees. 

What changes are we likely to see introduced? 

• Eliminating the obligation for organisations to keep records of processing activities for non-essential tasks. More organisations will adhere to the existing regulations for small businesses as a result. 
• Removing or reducing Data Protection Impact Assessment requirements for scenarios where organisations lack the bargaining power to influence the terms offered. Regulators will assume the responsibility of conducting those negotiations instead. 
• Adopting plans from the UK’s Data (Use and Access) Bill. The EU may release a list of legitimate interests that align with the original purposes of collection to simplify the legitimate interest assessment process. 
• Adjusting transparency requirements by providing more information on request or providing more information in privacy notices and making less available on request. The EU may implement this by removing the need to include transparency information in subject access request responses where it is already publicly available. 
• Removing the need to obtain consent for additional categories of cookies, following the Data (Use and Access) approach. This change will remove the need to collect consent for 'low risk’ cookies used for advertising and website analytics. 
• Encouraging the use of Codes to make it simpler for organisations to understand how to fulfil their obligations. 
• Reducing the compliance burden for organisations that are Code signatories by potentially reducing their transparency requirements in areas governed by Codes to reduce double working. 

Why is the EU introducing the GDPR simplification? 

Improving productivity, fostering innovation and promoting economic growth are the goals for any impending EU regulation. The rise of AI has driven a newfound desire to innovate, which will place focus on evolving data protection and cyber security. Strategically, nations could emerge as leaders in AI and are placing hopes that an organisation in their country will be the ‘next Google’, bringing in tax receipts to match. Experts quoted in a Tech Policy analysis of the changes_¹ noted that access to capital is likely a bigger drag than regulation. To maintain momentum, the EU should focus at least as much on encouraging investment as on reducing paperwork. 

We’re unlikely to see concrete announcements on final plans in the near future. Building legislation takes time and, as noted above, many of the options are included in the Data (Use and Access) Bill. Lawmakers may choose to wait and see the impact on the UK before deciding what changes to make across the EU. The UK government says, “the Data (Use and Access) Bill will bring an estimated £10 billion boost to the UK economy across 10 years” by “improving the way consumers, businesses and asset owners can safely share data”. More than just paperwork reductions are required to reach these optimistic estimates. We’ll soon see if organisations can take advantage of the new opportunities. 

As always, the world of data protection continues to evolve and keep privacy professionals on our toes!

Footnote

1 What’s Behind Europe’s Push To “Simplify” Tech Regulation?, Ramsha Jahangir, Tech Policy. Press, 24 April 2025