We use cookies to ensure that we give you the best experience on our website. Cookies enable us to provide you core functionalities such as security, network management and accessibility. They improve usability and performance through various features such as language recognition, search results and thereby improve what we offer to you.

For more information, please visit our Privacy Policy

GDPR REFORM 2025 CHANGES AND IMPLICATIONS

GDPR Reform 2025 Changes and Implications
19 Jun

GDPR Reform 2025 Changes and Implications

185 | CIPP-E Preparation | CIPP-E Prep Suite GDPR Compliance GDPR Article 30 Processor Data Protection Officer SME

The European Commission recently introduced a proposal to amend the General Data Protection Regulation (GDPR), with the aim of reducing the administrative burden on small and medium-sized enterprises (SMEs). This move is part of a broader strategy to enhance economic competitiveness in Europe and follows recommendations from the Draghi Report, which highlighted how EU legislation can disproportionately affect smaller businesses.

In this article, we outline the key elements of the reform proposal, explore alternative approaches currently under discussion among privacy experts, and explain why these developments are highly relevant for CIPP/E candidates.

Why GDPR Reform Is on the Table

The European Commission published its GDPR reform proposal on 22 May 2025 as part of a wider package to support SMEs. One of the main drivers behind the initiative is the Draghi Report (2024), which argued that regulatory compliance costs in the EU are becoming unsustainable for smaller organisations, especially when compared to global competitors.

The proposal is not a complete overhaul of the GDPR. Rather, it focuses on reducing compliance obligations in specific areas, while still maintaining the overall data protection framework.

What the Commission Is Proposing

The reform centres on Article 30 GDPR, which requires controllers and processors to maintain an internal record of processing activities (commonly referred to as the “processing register”).

Key changes include:

  • Raising the exemption threshold: The current rule exempts organisations with fewer than 250 employees from maintaining a register, unless their processing is not occasional or is high-risk. The proposal raises this threshold to 750 employees.
  • Condition-based exemption: Even for those under the new threshold, the exemption only applies if no high-risk processing takes place. “High risk” refers to data processing operations that could significantly impact individuals' rights and freedoms, such as large-scale profiling or processing of sensitive data.

The proposed changes are part of a broader attempt to simplify administrative obligations for businesses without significantly weakening data subject protection.

The Origins of Article 30: A Brief History

To understand the implications of the proposal, it is helpful to review the origins of Article 30 GDPR. Historically, data protection regimes in the EU required organisations to notify supervisory authorities of their processing activities. For example:

  • The UK Data Protection Act 1984 required registration as a “data user.”
  • The Dutch Wbp (Wet bescherming persoonsgegevens) also imposed notification obligations, with specific exemptions for low-risk activities.

When the GDPR was adopted in 2016, the EU abolished these notification schemes in favour of internal documentation via Article 30, as part of a cost-saving measure projected to reduce administrative expenses by €2.5 billion across the EU.

However, since its implementation, Article 30 has been criticised for generating high compliance costs, particularly for larger organisations with complex data environments. A 2018 study estimated the annual cost of maintaining registers under Article 30 for Dutch businesses alone at nearly €1 billion.

Alternative Approaches: What Experts Are Suggesting

Several privacy experts have proposed different ways to reform Article 30 GDPR. According to Jeroen Terstegge, a Dutch privacy strategist and managing partner at Privacy Management Partners, there may be more effective approaches to reducing the GDPR’s compliance burden. While his recent article represents an expert opinion piece, it highlights scenarios that are being widely discussed in the professional field.

  1. Risk-Based Register Obligation

Instead of tying the obligation to organisational size, this approach would require a register only for processing operations that present a high risk to data subjects.

  • Advantages: Aligns with the core purpose of the GDPR — protecting individuals’ rights — and applies equally to all organisations, regardless of size.
  • Disadvantages: May create uncertainty for businesses unsure of how to assess processing risk. Would likely require new guidance from data protection authorities.
  1. Full Repeal of Article 30

Some have suggested abolishing Article 30 altogether, arguing that internal record-keeping provides little added value for compliance, especially since high-risk processing already requires a Data Protection Impact Assessment (DPIA) under Article 35.

  • Advantages: Significant reduction in administrative costs; organisations could still voluntarily maintain internal records where useful.
  • Disadvantages: Reduced documentation could make supervision and audits more difficult for data protection authorities (DPAs).
  1. DPIA-Only Documentation Model

This approach would consolidate documentation obligations under Article 35 only, making DPIAs the central compliance mechanism for high-risk processing.

  • Advantages: Simplifies GDPR structure; avoids duplicating documentation efforts.
  • Disadvantages: May omit useful operational data that is currently included in Article 30 registers.
  1. Introduction of Transitional Thresholds

Another scenario involves keeping the employee threshold but adding a grace period or transitional rules for organisations that grow beyond the limit (e.g. from 740 to 760 employees).

  • Advantages: Prevents newly qualifying companies from facing a sudden compliance gap.
  • Disadvantages: Adds complexity to enforcement and may encourage short-term threshold avoidance.

These options illustrate that there is no consensus on the optimal approach. Each proposal has trade-offs between administrative burden, legal certainty, and accountability.

Beyond Article 30: Broader Reform Discussions

The reform proposal has also sparked discussions about other structural elements of the GDPR. While not currently part of the Commission’s proposed changes, experts have highlighted the following areas for potential revision:

The Definition of ‘Processor’ (Article 4(8))
  • In complex digital service chains, the traditional distinction between controller and processor is becoming blurred. Some argue that most service providers act as independent controllers, especially when using data for secondary purposes like AI training.
  • Potential reform: Redefining the concept or eliminating the obligation for controller–processor contracts (Article 28 GDPR) in favour of mutual accountability models.
The Role of the Data Protection Officer (DPO)
  • The GDPR mandates a DPO under certain conditions (Articles 37–39), a concept based on older German data protection laws.
  • Critics suggest that compliance functions could instead be integrated into a “Three Lines of Defence” model, where audit and risk functions take over some oversight roles traditionally assigned to DPOs.

These broader reflections suggest that a more adaptive and modernised regulatory framework may be on the horizon — though no formal legislative changes have yet been proposed in these areas.

What This Means for CIPP/E Candidates

Whether or not the proposed reform becomes law, it is clear that the GDPR remains a dynamic framework. For candidates preparing for the CIPP/E certification exam, this means staying alert to both formal updates and broader policy discussions.

The IAPP’s CIPP/E curriculum is expected to be updated in September 2025, and it is likely that the proposed changes to Article 30 — if adopted — will be reflected in that revision.

At 22Academy, our CIPP/E Prep Suite is continuously updated to align with the latest legal and policy developments. Whether you are preparing for the exam now or planning to take it after the curriculum update, our training remains fully relevant and accurate.

Conclusion

The European Commission’s proposal to amend Article 30 GDPR is a notable step toward easing administrative burdens for SMEs, while broader discussions around roles, definitions, and compliance structures may shape the future of data protection law in the EU. As reform takes shape, professionals — and especially certification candidates — should stay informed, flexible, and ready to adapt.

For trusted and up-to-date CIPP/E exam preparation, visit 22Academy’s CIPP/E Prep Suite.

Share this Post

Team Up!

Team Up!

Study Together and Save 50%!

TEAM UP!

Ready to kick-start your career?

GET STARTED NOW

Categories

About The Blog

Stay up to date with the latest news, background articles, and tips for your study.

Our latest video

22Academy

Tailored Training Solutions

Let's find the best education solution for your situation. We will contact you for Free Support!

Success! Your message has been sent to us.
Error! There was an error sending your message.
It’s for:
We will only use your email address to contact you regarding your education needs. We do not sell your personal data to third parties.