What Does the European Commission’s GDPR Reform in 2025 Mean for Your Business?

The European Commission’s Fourth Omnibus Package, presented on 21 May 2025, marks a first step on the EU’s journey towards regulatory simplification. The package introduces a number of measures expected to reduce administrative costs for companies by €400 million annually.

At the heart of the proposed changes is the introduction of a new business category — Small Mid-Cap Enterprises (SMCs) — defined as companies with fewer than 750 employees and either up to €150 million in turnover or €129 million in assets. These reforms aim to end the so-called “cliff-edge” effect, where scaling beyond the 250-employee threshold exposes companies to a disproportionate increase in regulatory burden.

For businesses operating across the EU — and those from outside who target the EU market — the package carries strategic significance for how data protection compliance is approached. This article explores what this means for you.

What are the Proposed Changes?

Rather than overhauling the GDPR, the European Commission is proposing the selective fine-tuning of key obligations based on the level of risk their data processing presents. Their goal is to preserve high standards of data protection while removing unnecessary administrative weight, to:

• Provide better support scaling companies who reach the “cliff-edge”
• Simplify record-keeping obligations for low-risk data processing activities
• Accelerate the transition from paper to digital

Here’s a breakdown of the most significant updates, and how they realign compliance with practical realities:

1. Risk-Based Record-Keeping Under Article 30

The proposal introduces a pivot in the GDPR’s logic around compliance obligations. The previous blanket exemption from Article 30 for companies with fewer than 250 employees is now being replaced with a broader and more nuanced rule:

_“SMEs, SMCs and organisations with fewer than 750 employees will only be required to maintain records when the processing of personal data is ‘high risk’ under the GDPR”. _

This change reduces unnecessary reporting obligations for low-risk processors while maintaining protections where data subject rights are most vulnerable. It aligns regulatory focus with operational reality — a long-standing goal of the Commission’s better regulation agenda.

2. Codes of Conduct Now Include SMCs

Separately, the European Commission proposes reforms to the GDPR provisions on codes of conduct (current Article 40).

Under present rules, EU institutions and national data protection authorities are required to encourage the development of sector-specific frameworks for responsible data handling — especially by associations representing controllers and processors. The proposed changes aim to ensure that the “specific needs” of Small Mid-Cap Enterprises (SMCs) are explicitly considered in these efforts.

3. Certification Mechanisms Do Too

The proposed changes also include refinements to certification mechanisms (current Article 42). These certification mechanisms were intended to be a significant change to help the market, but they failed to deliver this intended benefit. Therefore, the EU Commission has moved to simplify and provide easier access to certification mechanisms under the GDPR.

From Red Tape to Real Efficiency

The Fourth Omnibus Package is one component of the broader simplification initiative. In the Commission’s own words, this package is designed “to make EU regulation simpler, faster and better for everyone”.

For GDPR compliance, the key takeaway is that some obligations are shifting from being driven by organisation size or turnover, to being driven by the risk of the data processing activities. This better aligns with the original intent of the GDPR — to protect individuals’ data rights while enabling responsible data-driven innovation.

Opinion: The Problem Isn’t the Regulation Itself.

While these changes are welcome and are positive, they aren’t a fundamental solution. That’s because the regulation itself isn’t the issue — it’s the complexity brought by authorities — and the way that they handle the GDPR — that is.

This is especially true for non-EU companies, who unlike those in the EU do not have the benefit of a lead authority to deal with. Instead, they’re required to deal with over 40 different regulators for matters relating to GDPR compliance — whether that’s to appoint a DPO, notify stakeholders of a data breach, or any number of reasons in between.

A solution is to strengthen the role of the Representative under the GDPR — making them a one-stop shop to coordinate between stakeholders. By doing this, organisations can remove the complexity while remaining confident that they are fulfilling their obligations under the GDPR.

Reinforcing the Need for Smarter Data Protection Compliance

The European Commission’s Fourth Omnibus Package is a clear signal: the EU is listening to businesses that scale quickly but can’t absorb the compliance overhead of large enterprises. By easing blanket obligations and promoting proportionality, the GDPR amendments empower SMCs to grow confidently without compromising on data protection.

At Prighter, we help you stay ahead — not just of regulation, but of risk. Whether you’re grappling to understand your obligations today, or are preparing for tomorrow, we’re your trusted partner in ensuring proactive and scalable data protection compliance.

Discover the benefits of proactive data protection compliance today. Book a free consultation and find out how Prighter can help your organisation take a smarter approach to data protection compliance.