Home News & ViewsGDPR Simplification – What Is Changing? 26/05/2025 | News | Technology & Data GDPR Simplification – What Is Changing? Author: Maria Aholainen On 21 May 2025, the European Commission published a proposal for a regulation that would amend the General Data Protection Regulation (“GDPR”). The proposal is part of the Commission’s Fourth Omnibus Package and a first step towards simplifying the GDPR. Key Changes to the GDPR The most notable change is proposed to Article 30(5) of the GDPR. The Commission is proposing an exemption to small and mid-sized companies employing less than 750 people from the record-keeping obligation (also known as “ROPA”). The proposal raises the employee threshold from the current 250 to 750 employees, and the record-keeping is no longer dependent on whether processing is “occasional”. In practice, SMEs are only subject to mandatory record-keeping if they are carrying out processing that is likely to pose a “high risk”. High risk is assessed in line with the existing Article 35 of the GDPR. Further, the proposal clarifies the record-keeping obligation in an employment context (Art.9(2)(b) GDPR). The processing of special categories of personal data in an employment context (e.g. employees’ health data) does not automatically trigger the record-keeping obligation. Next, the proposal will proceed through the EU legislative approval process, with a view to taking effect in 2026. Other Simplifications in the Field of Data Regulations The proposal is closely linked to the competitiveness report published in 2024 by Mario Draghi, which draws attention to the need to simplify EU rules. What have we seen so far and what lies ahead? In February 2025, the Commission decided to withdraw the AI Liability Directive Proposal and ePrivacy Regulation Proposal. In May 2025, the Commission introduced small simplifications to the GDPR (as explained above). Later in 2025, the Commission is expected to also simplify cybersecurity reporting requirements and even the AI Act. It remains to be seen whether additional GDPR changes will also be introduced as the Commission has identified other improvement areas in the GDPR. Contact us Maria Aholainen