GDPR 2.0: Coming Soon! Tailored for Small and Medium-sized Enterprises

Since its implementation in 2018, the General Data Protection Regulation (GDPR) has become widely recognized as the world’s toughest and most comprehensive data protection regulation. While the GDPR has been widely welcomed by privacy advocates, it has also faced criticism from the business sector.

In response to growing concerns, calls for a review of GDPR have intensified. Much of the criticism centers on the regulation’s extensive documentation requirements, as well as its complexity and lack of proportionality. Critics argue that while the primary goal of the GDPR is to protect natural persons’ privacy, its impact on smaller companies and tech-driven businesses has been counterproductive, leading to excessive administrative burdens and creating a legally uncertain environment – which have had a limiting effect on innovation and competitiveness.

The European Commission has taken note of these concerns and is now working on a plan aimed at simplifying compliance for small and medium-sized enterprises (SMEs).

A Regulation in Need for an Update

There is a widespread view that the GDPR is difficult to comprehend and imposes a significant administrative burden – even in situations where privacy risks are low. For years, the business sector has called for a review of the regulation, and even municipalities and government agencies have expressed lack of certainty around the regulation, often resulting in overly cautious and excessively strict enforcement. This, in turn, threatens to hinder innovation and digital development.

Critics argue that the regulatory load hinder innovation and that the GDPR and other related regulations aimed at tech companies may prevent the EU from effectively competing with global giants like China and the United States.

This risks not only hindering cross-border entrepreneurship but also slowing down the development of new technologies and cybersecurity solutions within the EU.

Reforming GDPR: What Lies Ahead?

In response to this growing criticism, the European Commission is currently working on a proposal on how to simplify the GDPR with the aim of reducing the compliance burden on smaller players – all without jeopardizing the regulation’s core objective and fundamental purpose – protecting individuals’ right to privacy.

The Commission’s plan for reform, expected to be unveiled on May 21, 2025, could lead to a review or removal of certain requirements, particularly those that disproportionately affect SMEs. One concrete proposal under discussion is simplifying the current extensive documentation obligations imposed on organizations with fewer than 500 employees. The overarching goal is to improve Europe’s economic competitiveness by creating a more proportional and manageable regulatory framework, making it easier for companies to comply.

Reflections on the Future of the GDPR 

The need for a review of the GDPR is widely anticipated. In order to ensure effective and enduring protection of personal data, the regulatory framework must be perceived as both legitimate and practically feasible. When the regulatory burden and legal uncertainty become so overwhelming that they stifle innovation growth and digital development, the regulation risks losing recognition – which, in the long run, could undermine the protection it is meant to safeguard.

By modernizing and simplifying the GDPR without compromising its core values, we can create a regulatory environment that is legitimate, effective, and manageable. This would ensure that privacy, innovation, and economic competitiveness can thrive together.

The European Commission is now taking concrete steps toward a more balanced, risk-based approach to regulation – one that focuses on addressing actual privacy risks where they are most significant. It is possible to create a strong framework for data protection that doesn’t stifle innovation or technological progress. After all, technology itself is neither a threat nor a solution – it’s how we choose to use it that makes all the difference.

We’ll be watching closely as this reform process unfolds, eagerly awaiting to see how the Commission navigates the delicate balance between simplifying the regulation and preserving the integrity of data protection.

Contact Us 

Magnusson offers expert legal advice on IT and data protection matters, alongside customized training designed specifically for your company’s needs.

Feel free to reach out to Helena Rönqvist, Caroline Landerfors, or Marie Segerholm for more information. To explore our IT and data protection services further, click here.