Change in the world of data protection – what’s really going on?

The world of data protection is rarely boring, but even by normal standards there is quite a lot of noise in Europe. 

In the UK, we have the imminent arrival of the Data (Use and Access) Bill and a government asking regulators to consider how they can foster growth and innovation. In the EU, the European Commission has just published a paper looking at GDPR simplification. So how much is actually changing and what opportunities will it bring? 

The role of regulation in growth 

In December 2024, the UK government reached out to regulatory bodies, requesting ideas on how to promote economic growth. These suggestions contributed to the creation of a policy paper titled New Approach to Ensure Regulators and Regulation Support Growth, published in March 2025. The paper outlined three key actions. 

1. Tackle complexity and the burden of regulation 
2. Reduce uncertainty across out regulatory system 
3. Challenge and shift excessive risk aversion in the system 

Is this approach entirely new? In some ways, yes. While growth and innovation haven’t always been a direct focus for all regulators, certain aspects naturally align with economic growth, and in some cases, it is explicitly stated. For example, Ofgem oversees the Smart Energy Code. Gemserv, a Talan Company, manages secretariat and administration services for it. One of its objectives, Objective E, is to encourage innovation in the design and operation of energy networks. 

In many states in the United States, data protection law failings are addressed under unfair trading practices rules, as failing to comply with legal obligations is seen as seeking an unfair competitive advantage through avoiding costs. It’s similar here – TechUK held an event at the end of May 2025 to launch their new report on pro-growth regulation and I took the opportunity to ask panel members including representatives from Ofcom, the Information Commissioner’s Office and the Competition and Markets Authority about the role of enforcement in pro-growth regulation. Stephen Bonner, Deputy Commissioner, Regulatory Risk spoke about the importance of enforcement in creating a level playing field and the challenges faced by smaller innovators who find compliance hard if they perceive their competitors to be cutting corners. 

Regulation is often designed to support innovation by ensuring that organisations are clear about what ‘good’ looks like, and consumers feel they can trust the innovations offered to them. An absence of trust is often associated with an absence of sales. It’s notable that the leading players in the current generative AI boom have explicitly asked for more regulation to help the industry grow. 

On the flip side, the United States operates a deliberately low intervention regulatory approach and it is notable that the Republicans’ current Big, Beautiful Bill includes a clause prohibiting states from regulating AI for the next ten years. Clearly, they believe that regulation hinders growth and should only be deployed where there is compelling evidence of material harm. 

In Europe, I expect to see more scrutiny of the impact of new regulations on growth, and more emphasis on working with diverse organisations, but I doubt I will see any kind of bonfire of existing red tape. 

GDPR simplification 

The European Commission published its paper on GDPR simplification in May 2025. This is a grand title that promises much – so does it deliver?

Changes to GDPR have been mooted many times in the past. One of my favourites, which sadly hasn’t made it into the paper, was a German suggestion to create a category for Producers, to sit alongside Controllers and Processors, for organisations that create the tools that process personal data but don’t actually handle the processing. 

The main change suggested is to create a new tier for ‘small to mid-cap enterprises’ (SMCs) with 250 to 750 employees. At present, organisations with fewer than 250 employees are exempt from the requirement to maintain records of processing, unless the processing is not occasional or poses a risk to data subjects’ rights. The Commission is proposing extending this exemption to organisations with up to 750 employees and changing the wording to capture only processing that poses a ‘high’ risk to individuals. 

The first observation here is that clearly, this does not do away with the need to maintain records. ‘Not occasional’ processing is usually the majority of the processing activities of an organisation. It also introduces a new requirement to carry out risk assessments of ad hoc processing to determine whether it poses a high risk to individuals and therefore whether records need to be created. 

Given the ‘occasional’ nature of the processing, this probably means that the determination can be made at the time of the processing, but this is likely to slow down one-off tasks and introduces the risk that the requirement will be missed. If nothing goes wrong, you might get away with that, but if it does go wrong you will be left without an important tool to support the investigation. 

It’s also worth noting that, while creating records of processing activities can be a substantial undertaking and feel like something of a chore, organisations often find them very useful once they have them as they give a helpful view of what processing is taking place, where risk sits, and what effect changes might have. 

The second change is to encourage the development of certification schemes and codes designed for smaller organisations. These really haven’t taken off – while there are several codes published by the ICO and lots of codes covering data protection (including the Smart Energy Code referenced above), only one (for Investigative and Litigation Support Services) is registered as an Article 40 or 42 scheme. It’s not clear that further encouraging words will address this, or whether regulators will respond to such encouragement by engaging with the kinds of trade associations that might produce such codes to find out why they haven’t. 

What should we expect in practice? 

Overall, organisations should expect to see some changes but nothing truly earth-shattering. Regulators are looking for more engagement, particularly from new voices outside the usual bluechip organisations with access to policy makers. In practice that is likely to mean more consultations and more outreach efforts. We would recommend that organisations take advantage of this to get their voices heard and help ensure regulators understand their sectors, hopes and concerns. 

There is also the potential for organisations to consider whether there is a potential benefit in any of the relaxations and simplifications. The UK’s Data (Use and Access) Bill is encouraging organisations to make more use of Legitimate Interest as a basis for processing, for example. It doesn’t change the requirements really but it is worth reassessing whether Legitimate Interest could be available for new activities, and whether those activities might be beneficial. 

Similarly, if the recommendations in the Commission’s paper are eventually enacted in a revised form of GDPR, it is worth considering whether the effort required to risk assess ad hoc processes will be lower than the effort required to maintain records of processing for low and medium risk occasional processes. 

Finally, it may be worth considering lobbying trade associations to consider introducing codes of practice. Such codes level the playing field and reduce the cost of compliance by setting common standards. They typically take a flexible approach to allow for varying methods of compliance, but can reduce the cost of compliance by reducing uncertainty and therefore reducing the time it takes to design a solution. 

Overall, we welcome the efforts to position regulation as a growth enabler and hope to see more, more significant, opportunities arising from them in the future.