Blogs

GDPR reform in 2025? Simplifying Record-Keeping and Harmonizing EU Digital Rules

Logo LinesWave
GDPR reform in 2025? Simplifying Record-Keeping and Harmonizing EU Digital Rules

GDPR reform in 2025?
Simplifying Record-Keeping and Harmonizing EU Digital Rules

The European Commission’s push to cut red tape aims to reduce burdensome paperwork and compliance obligations. In 2025, even the landmark GDPR – long seen as untouchable – is slated for a trim under this agenda.

The European Commission plans a GDPR “Red Tape” trim

In early 2025, the European Commission signaled its intent to simplify the General Data Protection Regulation (GDPR) as part of a broader e;ort to boost European competitiveness by easing regulatory burdens. Commission President Ursula von der Leyen’s team launched several “Omnibus” packages to cut back on EU rules, responding to critiques that Europe’s complex laws (like GDPR) hinder innovation and business growth. A high-profile report by former Italian Prime Minister Mario Draghi in late 2023 warned that overly cumbersome regulations – “the GDPR and other burdensome rules” – were keeping the EU’s economy from e;ectively competing with the U.S. and China. Now, in what has been dubbed the Fourth Omnibus package, Brussels is proposing targeted amendments to the GDPR, focusing on administrative simplification for smaller companies.


Commissioner for Justice Didier Reynders (and his successor, Commissioner Michael McGrath, by 2025) emphasized that this initiative will “focus on reporting requirements for organizations with less than 500 people” while “preserving the underlying core objective of the GDPR regime”. In other words, the goal is to ease compliance for SMEs without diluting fundamental data protection rights. “We need to make it easy for businesses to comply... We don’t need to regulate in a stupid way,” Danish Digital Minister Caroline Olsen quipped, underscoring the pro-business sentiment behind the reform. The reform proposal was expected to be unveiled by late May 2025 as part of the EU’s competitiveness drive .

About raising thresholds and reducing paperwork

The draft GDPR amendment (May 6, 2025) is narrowly scoped to Article 30(5) – the provision on record-keeping (Records of Processing Activities, or RoPA). It introduces several changes aimed at lightening documentation duties for smaller organizations:

  • Higher employee threshold for RoPA: The exemption from maintaining processing records, currently available to entities with fewer than 250 employees, would be extended to cover companies with up to 500 employees (sometimes termed “small mid-cap companies”) as well as nonprofits under the 500-employee mark. This dramatically widens the pool of organizations freed from routine record-keeping obligations.
  • Stricter focus on high-risk processing: The proposal tightens the risk criteria that override the record-keeping exemption. Under current GDPR, even a sub-250 employee company must keep records if its processing is “likely to result in a risk” to individuals’ rights, is not occasional, or involves special categories of data. The reform would change this trigger to processing “likely to result in a high risk”, elevating the threshold of risk that would force small entities to maintain records. In practical terms, only more significant or sensitive processing activities (those posing a high risk) would require documentation from sub-500 employee organizations.
  • Removing the “occasional processing” caveat: The existing rule’s exemption does not apply if data processing is not occasional (i.e. if it’s regular or frequent, records are needed regardless of company size). The draft deletes this condition. By dropping the “occasional” criterion, the law would no longer automatically mandate records for regular day-to-day processing by a small business, so long as that processing doesn’t reach the high-risk threshold.
  • Clarifying special data exemptions: Currently, using special categories of data (sensitive data like health, race, etc.) or criminal records can also disqualify a company from the record-keeping exemption. The reform appears to relax this in limited cases: a new recital would clarify that processing special-category data to comply with a legal obligation in employment, social security, or social protection law would not trigger a record-keeping requirement. For example, a small firm handling employees’ health data to meet labor law duties might still benefit from the record- keeping exemption under the revised rule.
  • These changes aim to streamline administrative tasks without gutting privacy protections. Crucially, any organization – regardless of size – would still have to keep records for processing that is likely high-risk (e.g. processing that might require a Data Protection Impact Assessment). The Commission has stressed that core GDPR principles (like lawfulness, transparency, data subject rights, security, etc.) remain untouched. Only the paperwork burden is being targeted for reduction. As one analysis put it, the EU is “easing GDPR record-keeping for organizations under 500 employees while maintaining core data protection principles”.

EDPB and EDPS respond with cautious support

On May 8, 2025, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) – the EU’s top privacy watchdogs – issued a joint letter reacting to the Commission’s draft. Their stance can be summed up as “preliminary support, with caveats.”

The EDPB and EDPS welcomed the intention to simplify record-keeping and acknowledged that the proposal is a “targeted simplification initiative” that does not undermine other GDPR obligations. They noted it’s reasonable to lighten compliance for smaller players, so long as key safeguards stay in place. In particular, the regulators “welcome that the obligation to keep records would in any event still be required for ‘likely high risk’ processing”, praising the draft for retaining a risk-based approach. This means even if a company has under 500 sta;, it cannot skip documentation for processing that poses significant privacy risks – a point the data protection authorities find important.

However, the EDPB/EDPS also injected some caution and conditions. They “recall that even very small companies can still engage in high-risk processing”, warning that seemingly simple operations might, under certain circumstances, impact fundamental rights. They stress the importance of defining “high risk” clearly (citing existing guidelines on DPIAs) and note that removing the “occasional processing” clause doesn’t mean those activities carry no risk . In essence, the watchdogs want to ensure no loopholes inadvertently allow risky processing to go undocumented.

The letter also calls on the Commission to better justify and analyze the impact of the reform. The EDPB/EDPS ask for data on “the number of companies and organisations that would benefit” and an assessment of how the change might a;ect overall data protection levels. This analysis, they argue, is needed to confirm the amendment strikes a“proportionate and fair balance” between easing business burdens and safeguarding personal data . The privacy regulators thus give a conditional green light: supportive of cutting red tape for SMEs, provided the risk-based protections remain robust and evidence shows the balance is right.

(Notably, the formal legislative proposal had not yet been published as of early May, so the EDPB/EDPS letter is a preliminary opinion. A full consultation will occur once the draft law is oXicially released.)

A look at the broader (simplified) picture: Omnibus Packages

This GDPR tweak is one piece of a larger puzzle. The von der Leyen Commission has embarked on a wider project to simplify EU legislation, bundling changes into so-called “Omnibus” packages. The record-keeping reform is explicitly slated to be part of the Fourth Omnibus package in May 2025. Earlier Omnibus packages (launched in February 2025) targeted areas like sustainability reporting and corporate due diligence, scaling back obligations mainly for smaller firms. The common goal is to “reduce administrative burdens by 25%, and by 35% for SMEs, by the end of [2029]” .

Within the digital regulation sphere, the Commission’s 2025 Work Programme also announced a comprehensive “fitness check” of the digital acquis and a “Digital Package” later in 2025 to review laws such as the GDPR, Data Act, Data Governance Act, Cybersecurity Act, AI Act, etc., for coherence and simplification. In this context, the modest GDPR reform on record-keeping can be seen as a first step toward updating and harmonizing the EU’s digital rulebook. It aligns with the Commission’s Competitiveness Agenda and Draghi’s recommendations to prune back rules that are seen as overlapping or disproportionate.

Observers have noted that the politics of reopening GDPR are delicate. GDPR was a landmark law; touching it even for a narrow fix could invite lobbying battles over broader issues. The Commission has been careful to describe this reform as a “targeted amendment” not a full overhaul, likely to avoid opening Pandora’s box. So far, there seems to be general support among EU institutions for easing bureaucratic requirements on honest small businesses, especially in light of complaints that Europe’s regulatory thicket stifles local startups. As one privacy lawyer commented, the proposal “seeks to ease compliance burdens on certain organizations, while retaining core privacy safeguards” – a politically palatable balance. The Omnibus 4 package is thus part of a narrative that Europe can trim paperwork without trashing privacy, demonstrating a nuanced approach to regulatory quality over quantity.

Overlapping frameworks and regulatory “inflation”

The GDPR reform debate is happening against a backdrop of “regulatory inflation” in the EU’s digital economy – a proliferation of new rules addressing online content, competition, AI, and more. In recent years, the EU has rolled out or drafted multiple major frameworks alongside GDPR, including the Digital Services Act (DSA), Digital Markets Act (DMA), Artificial Intelligence Act, and attempts at an ePrivacy Regulation. This flurry of legislation, while aiming to tackle distinct issues, has led to concerns about overlapping obligations and compliance complexity:

  • Digital Services Act (DSA) & Digital Markets Act (DMA): These 2022 laws impose duties on online platforms (DSA) and “gatekeeper” tech giants (DMA). While their focus is not data protection per se, they add layers of compliance (content moderation processes, fair competition rules) that intersect with data handling. Policymakers caution that DSA/DMA implementation should “avoid replicating the administrative complexities and legal ambiguities associated with the GDPR.” In other words, Europe wants to ensure its new platform regulations don’t unintentionally recreate GDPR-like burdens or conflicts. (For example, both DSA and GDPR address transparency – DSA for content and ads, GDPR for personal data – and regulators must ensure consistency in enforcement.) Overlap is also a practical concern: a large platform could be audited under DSA and investigated under GDPR simultaneously, so coordination is key to prevent needless duplication.
  • AI Act: The forthcoming Artificial Intelligence Act will introduce rules on AI systems (like risk assessments, data transparency, human oversight requirements). Overlap with GDPR is explicitly recognized: the AI Act governs AI systems, while the GDPR governs personal data – but AI often relies on personal data. To avoid double- regulation, experts suggest clarifying boundaries so that compliance with one regime doesn’t contradict the other. The EDPB itself has advised eliminating regulatory overlaps with the AI Act to “avoid penalizing EU companies” developing AI, noting that GDPR already covers many data protection aspects relevant to AI . For instance, an AI company processing personal data would still follow GDPR principles (lawful basis, data minimization) in addition to any AI Act standards; regulators want to ensure these requirements dovetail rather than pile on conflicting demands.
  • ePrivacy Regulation: A long-planned sister law to GDPR, meant to specifically regulate electronic communications privacy (cookies, messaging confidentiality, etc.), the ePrivacy Regulation has been stuck in legislative gridlock since 2017.

In fact, it was withdrawn in early 2025 without adoption, as EU lawmakers shifted focus to other tools. This leaves the old 2002 ePrivacy Directive in place, supplemented by GDPR and the newer digital laws. The failure of the ePrivacy Regulation in part reflects “regulatory fatigue” – the EU arguably had too many overlapping initiatives. Some aspects of ePrivacy (like cookie rules) are now handled through a mix of GDPR (e.g. consent requirements) and the DSA’s provisions on online platforms, but the lack of a dedicated updated law means a fragmented landscape. The Commission’s simplification agenda implicitly acknowledges this overload: rather than add another complex regulation, the strategy is to streamline what exists. Elements of ePrivacy’s goals may resurface in a more harmonized way through the broader digital fitness check, ensuring that privacy in communications is addressed without spawning yet another separate rulebook.

The presence of multiple frameworks has undoubtedly increased compliance workloads – a phenomenon sometimes dubbed the “Brussels e`ect” double-edged sword: while exporting high standards globally, it also creates a dense web of rules at home. Even within GDPR itself, inconsistent enforcement among Member States has led to fragmentation and legal uncertainty. The current reform can be viewed as a response to these criticisms, trimming an internal GDPR obligation (RoPA) to make life easier for smaller actors, while hinting at the need to better coordinate across regulations. By simplifying one piece of the puzzle now, the EU might be testing the waters for aligning others down the line. As one analysis suggests, truly improving the EU’s digital regulatory climate will require “addressing overlapping, unnecessary or disproportionate rules” across the board, not just within GDPR.

A look to a harmonized and SME-friendly digital regulation ?

The 2025 GDPR reform proposal, though limited in scope, carries symbolic weight. It represents the EU’s willingness to balance privacy with pragmatism. For startups and midsize companies, raising the RoPA threshold to 500 employees and narrowing record- keeping to high-risk cases could significantly reduce day-to-day compliance costs. This pragmatic, risk-based relief has been welcomed by business communities, which argue that resources spent on checkbox paperwork could be better used to innovate – without endangering individuals’ privacy. By simplifying obligations for smaller businesses, the EU is taking a “positive step towards a more proportionate framework”, as commentators have noted.

Crucially, this step is being taken without abandoning GDPR’s core tenets. The reform explicitly avoids touching fundamental rights or weakening enforcement against serious abuses. It is a surgical adjustment that stays true to the GDPR’s spirit (protecting personal data) while removing some bureaucratic weight from its letter. In that sense, it sets a precedent: future EU digital legislation might also be fine-tuned to better fit the size and risk- profile of organizations. Indeed, Commissioner McGrath framed the GDPR tweak as part of a “whole range of simplification measures” aimed at improving the competitiveness of Europe’s economy.

Looking forward, many hope this reform is just the first step toward a more coherent digital regulatory environment. As new laws like the AI Act come into play, the EU faces the challenge of integrating them with GDPR and each other. A harmonized approach – where overlaps are minimized, and rules are streamlined – would help prevent regulatory inflation from stifling businesses. The GDPR record-keeping proposal shows the EU is aware of these concerns and is willing to recalibrate. While privacy advocates will watch carefully to ensure data protections aren’t eroded, there is a generally optimistic tone that smart simplification can be a “win-win”: making compliance more achievable for honest companies (especially SMEs) and making the overall framework more e;ective by focusing on what really matters (high-risk and high-impact processing) .

In summary, the 2025 GDPR reform initiative sits at the intersection of privacy and competitiveness. It acknowledges that after nearly 7 years of GDPR, a one-size-fits-all approach may not be optimal in the evolving digital landscape. By raising the RoPA threshold and clarifying obligations, the EU is striving to reduce red tape while upholding robust privacy standards. If successful, this measured reform could pave the way for greater alignment among Europe’s digital laws – from data protection to AI and beyond – making life easier for compliant businesses and regulators alike. It’s a careful course toward a more simplified, harmonized, and future-ready EU digital regulatory framework.

How Anove would supports this change?

At Anove, we embrace the spirit of regulatory simplification by o;ering intelligent compliance solutions that adapt to evolving legislative landscapes. We help organizations streamline their GDPR e;orts by minimizing the administrative burden traditionally associated with maintaining documentation, reporting, and controls. By aligning with the EU’s push to reduce unnecessary red tape, Anove contributes to mitigating the so-called

"Brussels E;ect"—the layering of overlapping, often burdensome obligations. Our platform integrates the requirements of major frameworks like the GDPR, EU AI Act, and Digital Services Act (DSA) into a unified, coherent compliance process. This allows our clients to manage cross-regulatory requirements through one structured approach, saving time, ensuring consistency, and enabling a clearer focus on risk and accountability.

Want to read more? Check our previous articles:

  • -  On Mario Draghi’s report :
    o “How Companies Can Deal With The Increase Of EU Tech Regulations”

https://www.anove.ai/blog-posts/how-companies-can-deal-with-the-increase-of-eu-tech-regulations

  • -  On the inflation of Tech regulations :

o “Tech Regulations: How To Relieve The Burden Of Supervisory Bodies”

https://www.anove.ai/blog-posts/tech-regulations-how-to-relieve-the-burden-of-supervisory-bodies

o “Navigating The New Landscape Of EU Tech Regulations: A Call For Homegrown Innovation” https://www.anove.ai/blog-posts/navigating-the- new-landscape-of-eu-tech-regulations-a-call-for-homegrown-innovation

  • -  On the EU AI Act:
    o “EU AI Act – The 5 Key Articles You Need To Know Now! Don’t Miss The 4th One!”

https://www.anove.ai/blog-posts/eu-ai-act---the-5-key-articles-you-need-to-know-now-dont-miss-the-4th-one

  • -  On coping with administrative burden as a SME:

o “TheEasiest Way For A Tech CEO To Be Freed From Administrative Burden Of Upcoming Tech Legislations”

https://www.anove.ai/blog-posts/the-easiest- way-for-a-tech-ceo-to-be-freed-from-administrative-burden-of-upcoming- tech-legislations

Sources:

  • European Commission, Draft GDPR simplification proposal (2025) – Art.30(5) amendment, as referenced in EDPB-EDPS letter.
  • EDPB & EDPS, Joint Letter on GDPR Record-Keeping Simplification, 8 May 2025.
  • Politico EU, “Europe’s GDPR privacy law is headed for red tape bonfire” (Ellen O’Regan, Apr 3, 2025).
  • The Record, “Europe preparing to ‘ease the burden’ of GDPR” (Suzanne Smalley, Apr 7, 2025).
  • Inside Privacy (Covington), “European Commission Confirms Plans to Simplify GDPR” (Mar 17, 2025).
  • GamingTechLaw, “EDPB and EDPS preliminary feedback on GDPR simplification” (May 2025).
  • Lawfare, “Is Europe About to Slow the Pace on Digital Regulations?” (Oct 2023) .
  • Cookiebot, ePrivacy Regulation status update (2025).
  • European Commission Press Release, “Commission proposes to cut red tape...” (Feb 26, 2025).

Cookie preferences