Menu
GDPR-2.0

GDPR 2.0: what to expect from the new data protection regulation

Almost ten years after Regulation (EU) 2016/679, (better known as the GDPR), was adopted and seven years after it became fully enforceable, the European Commission has decided to initiate the process of reviewing and updating the regulation.  This has led to the development of GDPR 2.0, which aims to simplify compliance procedures, reduce administrative obligations and introduce new categories to enable more businesses to benefit from mitigating measures.

The main reason why this upgrade has become necessary is that despite the GDPR representing a milestone in personal data protection at global level, it has also encountered a series of issues which could potentially stifle innovation, competitivity and economic development, especially in the case of small and medium enterprises (SMEs).

Main objectives of the review

The proposed review of the GDPR focuses on three essential aspects:

  1. proportion of administrative obligations required: not all companies have the same organisational and financial resources. Imposing the same obligations indistinctly on all businesses, whether they are a multinational or an SME can create imbalances and hinder growth;
  2. simplification of bureaucracy: reducing the complexity of the procedures and details of compliance, eliminating redundant measures and lightening the paperwork load;
  3. supporting competitivity and innovation: favouring a regulatory environment which allows European companies to compete at global level, without being stifled by excessive administrative constraints.

One of the most significant updates included in GDPR 2.0 involves the creation of a new category of companies known as small businesses with medium capitalisation (small mid caps, or SMCs).  These firms can be considered ‘halfway’ between SMEs and large companies, employing between 250 and 499 members of staff.

The objective is to extend some of the mitigating measures already in place for SMEs to these organisations too, allowing them to reduce the costs of compliance and free up resources for strategic investment.  According to the Commission’s estimates, these changes could generate a total saving of around 400 million euros per year in administrative costs.

Other key proposals contained in GDPR 2.0 include some innovative solutions designed to make a significant difference to day-to-day compliance management:

  • exemption from disproportionate obligations to store documentation: the elimination of non-essential paperwork related to instructions or in archives;
  • simplified compliance methods: the opportunity to demonstrate that regulatory requirements have been met, even in the absence of the formal recognition of standards;
  • abolition of the generalised obligation to keep a record of data handling activity (art.30): organisations with less than 750 staff will no longer be obliged to fill out a register, except in cases of high risk handling, in accordance with art. 35;
  • a review of conduct codes (art.40): greater attention to the needs of SMCs, with more specific guidelines according to which sector they operate in;
  • more accessible certifications (art. 42): extended to small mid cap companies, with the aim of offering alternative, more flexible compliance tools.

It is interesting to note that the GDPR review places a particular focus on SMEs and SMCs, which represent the backbone of European manufacturing. These companies often find it difficult to meet requirements intended for larger companies, both in terms of budget limitations and the availability of qualified staff.  This legislative simplification therefore aims to:

  • reduce the risk of over-compliance, in other words avoid the implementation of an excessive number of measures which slow down operational activities;
  • incentivise growth without fear of disproportionate consequences for minor violations;
  • ensure an adequate level of personal data protection, without compromising competitivity in the global market.

Issues and debate on the review

Nevertheless, some issues regarding the review have emerged.  Some experts have highlighted how eliminating the data handling activity register could weaken capacity for risk assessment and impact evaluation, both essential tools in preventing violations and security breaches.

If appropriately used, the register may be viewed as a kind of ‘visiting card’ for an organisation’s compliance.  This key document allows data handling to be mapped, ensuring transparency.  Abolishing it could lead to a loss of control and a lower level of protection.

The issue of penalties

The GDPR introduced an extremely strict penality system, with fines of up to 20 million euros or 4% of annual global revenue.  Over the years, the infliction of penalties has generated significant financial returns.  Estimates indicate that more than 2,500 penalties issued have raised a total of over 6 billion euros.  The most notorious cases include:

  • Meta, fined over 1.2 billion euros in 2023;
  • Amazon fined over 746 million euros in 202);
  • Meta fined 405 and 390 million euros in 2022 and 2023 respectively;
  • Tiktok fined 345 million euros in 2023.

The concentration of penalties among huge tech multinationals demonstrates how the regulation is being applied in an exemplary manner when it comes to highly structured companies.  Nevertheless, the problem of the numerous small to medium organisations which, despite the passing of time, have still not complied with the GDPR completely, remains.

Connections with the Draghi Report and the AI Act

The drive to review the GDPR emerged after the publication of the Draghi Report on European competitivity (2024), which highlighted how regulatory complexity risks suffocating innovation.  That report placed particular emphasis on:

  • fragmentation in the application of the GDPR across member states;
  • overlaps with other regulations (especially the AI Act), complicating the regulatory framework for tech companies;
  • the need to harmonise the rules and make them more logical.

Unequal interpretation of the GDPR generates judicial uncertainty and stifles cross border trade, causing strategic sectors such as artifical intelligence and cybersecurity to be negatively impacted.

In order to avoid the problems mentioned above, the European Commission has set some specific targets to be reached by 2029.  These include a 25% reduction in administrative obligations for companies in general and a 35% reduction for SMEs.

This strategy is part of the wider ‘fourth Omibus package’ legislation for the reduction of bureaucracy, which aims to create favourable conditions for growth, investment and the generation of high quality jobs.

 

Translated by Joanne Beckwith

Alice Sommacal

I am a Project Manager, Journalist, and a Blogger who is Passionate about writing. I believe that in every phrase there is scope for improvement and that every original version of a text should be perfected, by fine-tuning the words until a truly special result is achieved. It is thanks to these views that I have learnt the Difference between being Ordinary and Extraordinary: an abyss, which anyone wishing to satisfy their readers cannot afford to overlook.

→ Alice Sommacal

Related Posts

This website uses cookies to enhance your browsing experience and ensure the site functions properly. By continuing to use this site, you acknowledge and accept our use of cookies.

Accept All Accept Required Only