The General Data Protection Regulation (GDPR) has been influential around the world since it came into effect in the European Union in 2018. It sets stringent standards for data privacy and protection of individual rights.
However, there have also been complaints about the administrative complexities in understanding and complying with the GDPR’s requirements.
These pressures are particularly acute for small and medium-sized businesses (SMBs), which typically have fewer resources to dedicate to functions like obtaining valid consent from all users, secure data management, and reporting.
But at the same time, noncompliance fines, operational disruptions, and damage to brand reputation can disproportionately hurt smaller businesses.
Regulatory authorities have been listening, and have proposed cutting back and simplifying the GDPR, especially for SMBs. Their goal is to reduce administrative burdens by 35 percent for SMBs, and by 25 percent overall by 2029.
In the meantime, the European Commission (EC) insists that the regulation’s strong mandate for data privacy and protection remains intact.
We look at what the proposed changes to the GDPR are, who may benefit from them, and what effects they may have on companies’ data privacy operations and how they manage compliance.
Who is proposing the changes to the GDPR?
The EC has drafted omnibus legislation aimed at simplifying several areas of GDPR requirements. On May 6, 2025 the EC sent letters to the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) to explain the specific modifications that it planned to introduce.
On May 8, 2025, the EDPB and EDPS adopted a letter in response, expressing general support for the proposals. They also emphasized the need to retain the obligations for high-risk data processing, regardless of organization size.
Additionally, they requested that the EC provide data on how many organizations would benefit from the proposed changes, and what the potential impact on data protection would be. Once the legislative proposal is published, there will be a formal consultation.
On May 25, 2025, the EC published their proposed amendments to the GDPR. The amendments focus on easing the regulatory burden for small and medium-sized businesses and small and mid-cap enterprises (SMCs). SMCs are three times larger than SMBs.
What are the proposed changes to the GDPR?
The proposed changes are relatively minor, affecting mainly three Articles of the GDPR. The proposal is a long way from becoming law yet, however.
Unsurprisingly, some parties say the proposed changes do too much to potentially weaken the GDPR, and others say they’re too small and affect too few companies to make any real improvement in smaller organizations’ compliance burden.
Record-keeping exemptions
Art. 30 GDPR exempts SMB data controllers and processors, as well as other organizations with fewer than 250 employees, from record of processing activities under certain conditions.
The proposal would extend the exemption to small and mid-cap enterprises (SMC) and other organizations with fewer than 750 employees. It would also maintain the record-keeping requirement only for data processing activities deemed high risk to the rights and freedoms of data subjects [Art. 30(5) GDPR].
Codes of conduct requirement expansion
Art. 40 GDPR requires associations and bodies that represent data controllers or processors to create codes of conduct accounting for the specific needs of SMBs. The proposal would expand that group to include SMCs as well.
Broadened scope for data protection certifications
Art. 42 GDPR encourages data protection certification mechanisms and seals to be established, with a focus on SMBs’ specific needs. The proposal would expand the scope of this provision to include SMCs.
Response to the proposal
The proposals are not without critics. The IAPP has likened the proposed changes to opening Pandora’s box, which could lead to significant challenges that weaken the GDPR.
CCIA Europe has argued that these proposed changes are “cosmetic fixes, not systemic solutions” that would ease GDPR burdens for just 0.2 percent of EU companies.
What benefits are there for businesses with GDPR simplification?
The most obvious benefits to simplifying the GDPR are for companies, but the proposed changes could be important for regulators and consumers as well.
Benefits of GDPR simplification for businesses
The GDPR often requires large amounts of documentation for organizational compliance. For smaller companies that tend to have fewer resources — financial, technological, and personnel — creating and maintaining all of this documentation has long been contentious.
Reducing reporting and documentation would likely free up company resources to focus on core operations, customer experience, and business growth. It could also save money, for example on legal consultations and software to manage compliance requirements.
Companies could innovate more quickly while still taking a privacy-led approach to operations. There would just potentially be fewer GDPR-centric requirements and paperwork for building or updating new products, services, consent management, and other operations.
Companies could also find it easier to anticipate and prepare for future changes to the GDPR, making compliance easier and less expensive.
Benefits of GDPR simplification for consumers
From the customer’s side, simplification could make required documentation easier to communicate, e.g. making privacy policies and consent banners simpler and clearer to people visiting websites and using apps.
This would contribute to reducing confusion about how data is used and what rights people have. Simplification could also help streamline requirements for data subject access requests (DSAR) and other ways people exercise rights.
These changes could help build consumer trust and long-term relationships with companies, also potentially boosting opt-in rates for data collection and processing.
Benefits of GDPR simplification for regulators
Simplifying the GDPR could ease the burden on regulators as well. Data protection authorities (DPA) would have to do less interpreting of legal requirements as they apply to specific organizations’ operations.
Ideally this would lead to less uncertainty, faster reviews, and the ability to apply the regulation across member states in a more uniform way.
Businesses that are better able to understand and meet compliance requirements would ideally mean less work for DPAs, and there would be fewer questions and less education required.
It would also likely mean less risk of fines and other penalties for unintentional violations, as well as less work with companies to resolve violations and get operations to compliance, and ensuring it’s maintained over time.
All of these considerations are parts of the largest goal of the GDPR simplification project, that of enabling EU companies to be more competitive globally. Additionally, the proposed changes could remove deterrents to foreign investment and partnerships in the EU.
What are the concerns about proposed changes to the GDPR?
The core concern of the EDPB and EDPS is that the GDPR not be substantively changed or weakened, and that strong protection of personal data and individuals’ privacy rights remain intact in the EU.
However, just as when the GDPR was drafted, making proposed changes to it has sparked concerns about lobbying efforts and potentially excessively weakening the finalized regulation.
Tech companies invested vast resources into lobbying European authorities while the GDPR was being drafted, hoping to try and influence the specifics of the final regulation in their favor.
There are a number of tech platforms that are among the largest companies in the world, with extremely deep pockets, and strong motivation to eliminate as many roadblocks as possible to their access to user data, ability to use targeted advertising, and other functions that the GDPR regulates.
Some advocacy organizations file a lot of complaints about GDPR issues and alleged violations. Removing legal requirements could create many more perceived issues for critics and privacy advocates, leading to even more legal actions.
It’s worth noting, however, that the core rules and requirements of the GDPR would be exceedingly difficult to get rid of, since personal data protection is an inalienable right under the EU’s Charter of Fundamental Rights.
How do the proposed changes to the GDPR affect data privacy?
Standard GDPR requirements wouldn’t change. For example, organizations would still have to notify users about rights and data use and obtain consent to collect and process personal data.
As noted, individuals’ privacy user experience could improve if privacy policies or notices and other sources of information required for data subjects are simplified or streamlined.
Because the proposed legislative changes largely target SMBs, there is a risk that, over time, a two-tiered GDPR could develop, with different and potentially more stringent requirements for large organizations, which could slow growth and innovation, and fewer demands on smaller companies, enabling them to be more agile in their industries.
While extensive lobbying to weaken GDPR requirements — particularly from the tech industry — remains a concern, there is strong counter-concern to ensure that data privacy rights and data protections under the GDPR remain strong.
German coalition agreement and data privacy
In May 2025 the new German government signed a coalition agreement. The parties involved have contractually agreed to a joint political agenda, priorities, and legislative initiatives.
The agreement creates public transparency about the government’s intentions and legislative and regulatory plans, which may affect data privacy and individuals. Specific points of interest and potential importance to data privacy in Germany, especially with changes to the GDPR, include:
- Excluding SMBs from the application of GDPR while maintaining privacy standards
- Centralizing Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI), the German data protection authority
- Implementing an EU Digital Identity (EUDI) Wallet
More broadly, there has been discussion of the following topics and ideas, though nothing concrete has been drafted or decided yet:
- A “single sign-on” type principle wherein individuals would only have to provide their data to public authorities once, and the authorities would be expected to share the data set (with relevant consent and access controls)
- Implementing opt-out solutions for data processing for state services
- Abolishing the German Supply Chain act and replacing it with a less bureaucratic options
- Building Germany into a hub of AI use and innovation, particularly in public services
Best practices to strengthen data privacy and competitiveness
It is important that the core requirements and goals of the GDPR remain, as they form the backbone of protection for individuals and companies in the EU. These principles have also been highly influential on other countries’ privacy legislation, so it’s likely other countries will continue to observe the GDPR’s evolution when considering changes to their own laws.
While many companies would welcome less regulatory red tape, the core GDPR requirements actually benefit companies and their customers. It does take knowledge of a company’s operations, tech stack, and customer base; plus dedication to implementing GDPR compliance measures in a way that limits resource needs and provides the best user experience.
A consent management platform (CMP) is a key way to provide required information about data processing, and real consent choices to EU consumers. It also enables secure storage and reporting about consent histories, enabling companies to more easily meet reporting requirements or respond to inquiries.
Technology and consumer expectations will continue over time, and global competition will continue to be challenging. At the same time, the amount of digital personal data that people create online is likely to increase, as is the demand for its use.
Regulators have the enormous challenge of creating and maintaining laws with a balance of strength and flexibility. Fortunately, companies like Usercentrics provide SMBs and enterprises with tools to make ongoing regulatory compliance and building a trustworthy brand easier.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.