Germany Pushes EU to Ease GDPR: What It Means for Businesses

EU Data Reform
Masoud Salmani
November 4, 2025

EU moves to simplify GDPR – what it means for you

The situation

The GDPR has been in force since 2018 and set the global benchmark for personal-data protection.
But many small and medium-sized businesses (SMBs) inside the EU felt they were weighed down by compliance overhead: heavy documentation, processing-records, templates, audits.
The European Commission has now formally proposed amendments that aim to reduce the administrative burden—especially for smaller organisations—while stating that the core rights of individuals will remain intact.

What’s changing?

Here are the key proposed modifications:

  • Extension of the exemption from full record-keeping under Article 30: organisations with fewer than 750 employees (under certain conditions) would be able to skip keeping full “records of processing activities”, unless they carry out high-risk processing.
  • Broadening of scope for “codes of conduct” (Art. 40) and “certification mechanisms” (Art. 42) so that “small mid-cap enterprises” (SMCs) can also use these more flexible tools.
  • The intention is to lower the overall administrative burden by about 25 % and for SMBs around 35 % by year 2029.

Why this matters

For businesses:
Less paperwork = more time. If you’re a lean team, this move could mean freeing up budget, reducing legal-consulting costs, focusing more on growth instead of only compliance.
For regulators & consumers:
Simpler rules may lead to more consistent enforcement across EU member states, fewer grey areas, and hopefully faster responses from DPAs.
For privacy rights:
Even though the burden is being eased, the core protections remain non-negotiable. The EDPB/EDPS emphasise the regulation’s foundations must stay intact.

But there are valid concerns

  • Some industry experts say these changes might affect only a very small portion of companies (~0.2 %) and so may not be the “systemic fix” SMBs hoped for.
  • Others warn of a two-tier system emerging: smaller orgs face less burden, large orgs still full compliance, leading to uneven competitive fields or varying privacy standards.
  • Some consumer groups argue that “simplification” must not mean “watering down” the GDPR.

What this means for my clients (and you)

If you’re running compliance services (or commissioning them) here’s how to think about it:

  1. Don’t wait for the final legal text. The proposal is published, but the law hasn’t changed yet. The timeline still has many stages: consultations, amendments, parliamentary debates.
  2. Keep the fundamentals strong. Regardless of simplification, you’ll still need to comply with core principles: lawful basis, transparency, data subject rights, security. The protection goal does not change.
  3. Use this as an opportunity. For your service catalogue (e.g., KVKK Startup Launchpad, ISO 27001 readiness) this is a chance to emphasise efficiency and future-proofing. Show clients you’re staying ahead of regulatory change and helping them build lean, scalable compliance frameworks.
  4. Tailor based on size and risk profile. If you’re advising smaller clients (say under 750 employees or less), highlight how these proposed changes might reduce burdens—but also remind them that high-risk processing still triggers full obligations.
  5. Prepare for change management. Once the law is updated, your clients will need to update policies, records, possibly consent frameworks, and internal risk-assessments. Position yourself to help with that “transition” phase.

My opinion (and yes, I take a stand)

I strongly believe this simplification is a good move, because it recognises business realities without abandoning privacy. Too often, compliance gets framed as cost-centre only—but data protection should be a business enabler (trust, brand, growth).
However — and this is a big however — I worry that if “simplification” is used as a pretext to loosen protections, we undermine the EU’s global leadership in privacy. For my clients (especially those servicing EU/EEA markets or handling cross-border data flows), the message must be: Change is coming — but compliance doesn’t go away.
So yes, simplify. But not at the cost of core rights or risk management.

What to do now (action checklist)

  • Conduct a mini-audit: Identify whether your organisation (or your client’s) is under 750 employees, what processing is “high-risk”, what records are maintained today.
  • Map current processing operations: even if some records may become exempt, still good practice to have a clear picture.
  • Review your consent management frameworks, internal documentation (DPAs, DPIAs, records of activities) — spot potential efficiencies.
  • Update your narrative: When you talk to clients, emphasise that you’re preparing them not only for today’s GDPR but tomorrow’s streamlined version.
  • Monitor legislative progress: Stay tuned to the official law-making, as the draft could be amended further. The European Data Protection Board and European Data Protection Supervisor have issued opinions already.

In summary

The EU’s move to simplify the GDPR signals a shift: compliance still matters, but bureaucracy may be eased for smaller organisations.
If you’re a startup or SMB, this could reduce cost and complexity. If you’re a service provider (like us) or advising such firms, it’s the moment to lean in, show you’re ahead of the curve, and turn compliance from a burden into a growth-enabler.
The core lesson: Be ready. Be aligned. Be efficient.

Sources:

  • Usercentrics
  • European Commission
  • European Data Protection Board (EDPB)
  • European Data Protection Supervisor (EDPS)
  • BEUC – The European Consumer Organisation
    • Masoud Salmani
    Ready to transform your business?
    Get started
    Privacy & Cookie PoliciesKVKKLegal DisclaimerInformation Security PolicyTerms of ServiceLogos of payment methods: iyzico, Elo Débito, Mastercard, Visa, American Express, and Troy.