🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

Simplification of the GDPR: what will (perhaps) change

Home News Simplification of the GDPR: what will (perhaps) change

Why GDPR is in the sights of the European Commission

Since its entry into force in 2018, the GDPR has established itself as a global standard in data protection. However, it has also become the emblem of regulations perceived as cumbersome and complex by many companies, particularly SMEs.

Two criticisms come up regularly:

  • A lack of support and means to apply it correctly
  • A heterogeneous application depending on European countries

It is in this context that the European Commission, under the impetus of the Draghi report, announced that it wanted to contribute to the competitiveness of European companies by reducing their administrative burden. As such, the GDPR is today the target of a legislative simplification initiative.

What the simplification proposal provides

On May 21, 2025, the European Commission presented a draft update of the GDPR as part of the "Omnibus IV" package. This simplification of the GDPR mainly aims to:

  • Extend the register exemption to structures with fewer than 750 employees with a turnover < 150 million euros
  • Remove the condition of "occasional treatment" to avoid divergences of interpretation
  • Exempt these structures from certain obligations such as AIPD (impact analysis)

Exception : processing operations presenting a high risk to rights and freedoms (article 35) will remain subject to obligation.

The stated objective is clear: to reduce paperwork for businesses while maintaining the overall GDPR framework.

Focus: article 30 and the processing register

Currently, Article 30 requires data controllers and their subcontractors to keep a register of processing activities, except for companies with fewer than 250 employees, provided that:

  • Treatments are occasional
  • They do not relate to sensitive data (art. 9) or judicial data (art. 10)
  • They present no risk to the rights and freedoms of the persons concerned

The register must detail: the purposes of the processing, the categories of people concerned, the security measures, the retention periods, the recipients, transfers outside the EU, etc.

With the new proposal, GDPR relief would result in a simplification of documentation obligations for a greater number of companies.

A simplification that divides

The proposal caused a reaction. While some see it as a breath of modernization, others fear a weakening of data protection.

For Politico, this is a "crack" in the GDPR, which was until now considered untouchable. The CCIA (American tech lobby) believes, on the contrary, that the measure is too timid and will not solve anything for European competitiveness. NOYB (Max Schrems association) denounces a complexity: more stages, more deadlines, more imbalances between companies and users.

Criticisms which show to what extent the GDPR remains a sensitive and highly political subject.

Our analysis at Data Comply One (formerly Mission RGPD)

At Data Comply One (formerly Mission RGPD), we have been supporting more than 1,000 SMEs, mid-sized companies, associations and communities in their GDPR compliance for 6 years. And our observation is simple:

What is blocking it is not the GDPR itself, but the fact that it is too often misunderstood and poorly applied. The processing register, although it remains documentary, fixed, isolated and administrative, has no real value.

The register, for example, is not an end goal. It does not protect data, does not respond to a legal request, does not reduce risks. It's a tool. But on condition of being connected to operational matters.

Since 2019, we have digitized, automated and redesigned the registry so that it becomes a real management tool — not a file forgotten in a SharePoint folder.

📡 With our SaaS platform, the registry is:

  • ✔️ Digital and collaborative, to involve business managers
  • ✔️ Up to date, to reflect the reality on the ground regarding personal data
  • ✔️ Automated, to save precious time
  • ✔️ Connected to operational matters, to concretely manage risks

It allows you to:

  • ✔️ Identify critical treatments
  • ✔️ Detect non-compliant risks and subcontractors
  • ✔️ Structuring responsibilities and proof of compliance
  • ✔️ Prepare calmly a response to an audit, a client or a call for tenders

🛠 Because what really matters for an SME or mid-sized company is not the paperwork...

It's about power, every day:

  • Protect the data of its customers and employees
  • Avoid incidents, data leaks and crisis management
  • Don't make a mistake in a legally binding DPA
  • Reassure a customer before signing a contract
  • Respond promptly to a prospect's request for rights to protect their reputation
  • Quickly prove compliance during due diligence or an audit (M&A, fundraising, cyber certification, CSR...)

This is exactly what we do with our platform, our outsourced Coach DPO and DPO experts, supporting more than 1000 companies on a daily basis.

This is our vision at Data Comply One (formerly Mission RGPD): a SaaS "Service as a Software" platform designed to help SMEs and mid-sized companies manage their regulatory challenges, without spending hours on them, and in the service of their performance business and their growth.

Conclusion: simplify yes, but without compromising

The GDPR update is underway. Simplifying GDPR is necessary so businesses can focus on what matters most: protecting data effectively and without a gas plant. Less paperwork to better focus on protecting personal data.

But be careful not to confuse GDPR relief with abandoning its foundations. Because behind each unchecked box, there is an uncontrolled risk. To be continued then...

Take stock for free with our online GDPR Diag : in just a few minutes, identify what is really in place in your home, what remains to be done, and how to transform compliance into a performance lever.

Other articles
on the same subject