May 2025 marked not only the maturity of one of the most influential legislative instruments of the European Union, the General Data Protection Regulation (Regulation (EU) 2016/679 – GDPR), but also the beginning of a new cycle of institutional reflection on its efficiency and proportionality in relation to the business environment. Under the auspices of the seventh anniversary since the Regulation entered into effect, the European Commission has launched a package of proposals aimed at reducing the administrative burden for controllers, while maintaining the stringency of personal data protection requirements.

At the core of these proposals lies the intention to simplify certain procedural obligations set out by the GDPR, without, however, weakening the substance of the rights guaranteed to data subjects. According to the Commission’s estimates, the measures envisaged could result in annual savings of approximately EUR 400 million for European businesses, a significant impact in an economic climate marked by inflationary pressures and rising operational costs.

One of the most relevant proposed amendments concerns the elimination of the obligation to maintain records of processing activities for micro and small enterprises that do not carry out high-risk processing. In its current form, this obligation imposes a disproportionate burden on entities which, although subject to the GDPR, do not handle data volumes or activities that would justify a high level of documentation. Thus, a differentiated approach, based on the specific risk of the processing, would reflect a better application of the principle of proportionality.

In this context, we consider the joint response of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), expressed in a letter addressed to the Commission on 8 May 2025, to have been relevant. The two authorities have preliminarily welcomed this simplification initiative, while underlining the necessity of a careful assessment of the impact of these changes on the organisations concerned, especially those with fewer than 500 employees. However, the aforementioned institutions also drew attention to the risk that an excessive relaxation of documentation obligations could indirectly affect the enforcement of other GDPR provisions, in the absence of an appropriate monitoring framework. At the same time, the EDPB and the EDPS emphasised the importance of maintaining a balance between the legitimate interest of enterprises in reducing administrative burdens and the fundamental right to data protection.

Other modifications included in the proposed package consist in the simplification of the notification procedure for the designation of a Data Protection Officer (DPO), through a standardised EU-level mechanism, as well as the full digitalisation of the forms used in interactions with supervisory authorities. This anticipates a more agile regulatory framework, in which procedural interoperability between national authorities becomes the rule rather than the exception, and GDPR enforcement benefits from greater institutional efficiency.

In this regard, the proposal to digitally standardise the forms used in dealings with data protection authorities is also noteworthy. This measure will facilitate cross-border communication, reduce processing times, and contribute to a more coherent application of the Regulation throughout the European area. It represents an essential step towards consolidating a genuine common data protection space, where cooperation between national authorities is not only possible, but also functionally effective.

These proposals are part of the Commission’s broader initiative entitled the “Relief Package”, which aims to reduce administrative burdens across various areas of EU law without compromising regulatory objectives. They reflect a legislative recalibration effort, adapted both to the lessons learned over the seven years of GDPR implementation and to the evolving digital landscape.

Looking back, the seven years of GDPR application have not only introduced a new global standard in data protection, but have also generated multiple practical and legal challenges. They have laid the foundations for a data governance model based on transparency, accountability and individual control, yet difficulties have persisted in ensuring uniform enforcement, cross-border cooperation among authorities, and timely responses to technological developments—such as those generated by artificial intelligence. During this period, key rulings have been handed down by the Court of Justice of the European Union (including the invalidation of certain international data transfer mechanisms), record fines have been imposed (including against dominant digital platforms), and the transatlantic data transfer framework has been renegotiated under the pressure of shifting geopolitical realities.

Thus, the GDPR anniversary in 2025 is not merely symbolic, but also a strategic opportunity for pragmatic recalibration. If the Commission’s proposals are adopted, the coming period will be marked by a new phase of data protection enforcement, one that is more efficient, more business-friendly, yet equally firm in upholding the fundamental rights of individuals.