The EU is proposing reforms to the GDPR to ease compliance for businesses, especially SMEs, and improve enforcement across borders. While the changes aim to reduce red tape, privacy advocates warn they could weaken user protections. The outcome will depend on balancing business needs with strong data privacy standards.
When the European Union's General Data Protection Regulation (GDPR) was implemented in 2018, it fundamentally changed the way businesses prioritize data privacy and the concept of user consent. But despite the many years that have passed, businesses continue to make expensive missteps, even when attempting to comply, and most small to medium enterprises have found GDPR compliance onerous and difficult to enforce. And with these challenges, enforcement gaps have emerged, and voices for change have grown louder. The system is slow, with complaints frequently taking years to resolve with very little oversight.
Proposed reforms to GDPR as it approaches nearly a decade in force aim to streamline data protection processes but also open the door to criticism that change will weaken privacy protections and user consent mechanisms. The temptation – and proposed action – is to overhaul GDPR completely, which amounts to a form of deregulation that may lead to greater inefficiency without solving the biggest problems GDPR supposedly causes, particularly as the world speeds toward an AI-driven world in which clarity on data privacy is more essential than ever.
Finding a balance between relief and resistance will prove to be the critical middle ground for the future of GDPR compliance.
A drive to balance individual rights with businesses’ operational realities has led to calls for simplification. For small and mid-sized enterprises, alleviating some of the regulatory burden would make their work considerably easier and let some slightly larger companies off the hook. That is, today, companies with fewer than 250 employees are exempt from the requirement to keep detailed data processing records. With the proposed reforms, this number would increase to 750 employees, which could make a big difference for tens of thousands of companies in the EU.
Privacy advocates, however, believe that these changes are a slippery slope, and that increasing this threshold fundamentally redefines risk and diltues the individual rights afforded by the original GDPR framework.
One of the key themes of the IAPP Global Privacy Summit in April 2025 was the delicacy of data transfers across borders, particularly between the EU and United States. GDPR has always been designed to deal with these challenges, but its reforms aim to address the real-world difficulties in doing so. The proposed GDPR Procedural Regulation aims to streamline cooperation between national data protection authorities (DPAs), facilitating faster and more coordinated responses to violations.
However, critics caution that without clear guidelines and sufficient resources, these procedural changes “do more harm than good” and might complicate enforcement further, potentially leading to inconsistencies and delays in addressing data protection breaches.
Businesses, especially SMEs, may experience reduced administrative burdens if the proposed exemptions are implemented. This could lead to cost savings and allow companies to allocate resources more effectively. However, organizations must remain vigilant to ensure that they continue to uphold data protection standards, even if certain documentation requirements are relaxed.
With the potential for more streamlined cross-border enforcement, companies operating in multiple EU member states need to prepare for more coordinated regulatory scrutiny. This underscores the importance of maintaining robust data protection practices and staying informed about regulatory developments across different jurisdictions.
The proposed reforms reflect the EU's attempt to modernize data protection in response to technological advancements and the dynamic nature of digital markets. While aiming to reduce unnecessary bureaucracy, it's crucial that these changes do not compromise the core principles of data privacy and individual rights.
As the EU navigates this complex reform process, ongoing dialogue between regulators, businesses, and privacy advocates will be essential to ensure that the GDPR continues to serve its foundational purpose: protecting personal data in a digital-first world.
Regulations change, but you can prepare yourself for whatever comes. Check out the CookieHub consent management platform to future-proof your approach to data privacy.
©2025 CookieHub ehf.
