The EU Digital Omnibus Regulation and the simplification shift

For years, privacy and compliance leaders have operated in a state of high-velocity adaptation. You have been the architects of trust in a landscape defined by regulatory fragmentation, frantically patching together compliance frameworks for the GDPR, the Data Act, and the looming EU AI Act. But on November 19, 2025, the European Commission signaled a massive strategic pivot, one that transforms your role from “firefighter” to “visionary.”

The Commission’s proposal for the EU Digital Omnibus Regulation is not just another layer of red tape; it is a corrective measure designed to “repair” the complex overlaps between the EU’s digital laws. By aiming to reduce regulatory burdens in the EU and boost competitiveness, this proposal acknowledges what you have known all along: true compliance requires clarity, not chaos.

For Data Protection Officers (DPOs), Chief Privacy Officers (CPOs), and security leads, this is a strategic inflection point. The rules are being rewritten to favor operational reality over bureaucratic rigidity. But do not mistake simplification for deregulation. The EU digital rulebook 2026 will be leaner, but sharper. The proposal offers you a rare commodity in our industry: time. The question is, will you use it to catch your breath, or will you use it to solidify your competitive advantage?

Major EU AI Act updates: Delays and red tape cuts

The original implementation timeline for the EU AI Act was a source of sleepless nights for many of you. The sheer velocity required to meet the 2026 deadlines for high-risk systems threatened to derail innovation budgets and force hasty, tick-box compliance. The Omnibus proposal fundamentally alters this trajectory with a mechanism designed to prioritize quality over speed.

The “stop the clock” mechanism

The most critical amendment in the proposal is the AI Act compliance deadline extension. The Commission has introduced a pragmatic “stop the clock” provision. Instead of a hard, arbitrary date, the compliance deadline for high-risk AI systems (Annex III and Annex I) will now be triggered only after the necessary harmonized standards are officially ready.

Specifically, the timeline shifts to 6 months (for Annex III) and 12 months (for Annex I) after the Commission confirms that the support tools and standards are in place. If those standards are delayed, your deadline moves with them, with a potential “long-stop” date pushing compliance out to late 2027 or even August 2028.

This high-risk AI obligations delay is a game-changer. It transforms a sprint into a marathon, allowing you to build robust, defensible AI governance frameworks rather than rushing to meet a deadline.

Relief for the “small mid-caps”

Previously, the SME designation was a narrow lifeline. The Omnibus proposes expanding this SME AI regime to include “Small Mid-Caps” (SMCs), companies with up to 499 employees and a turnover of up to €100 million. If your organization fits this profile, you may gain access to the same regulatory sandboxes and reduced penalties previously reserved for smaller players.

Reinforcing AI literacy: A clearer mandate

Instead of softening the rules, the Omnibus proposal doubles down on the importance of human oversight. The amendments reinforce the AI literacy obligation, clarifying that both providers and deployers must ensure their staff possesses the “sufficient knowledge, training, and contextual understanding” to manage these systems safely.

This is no longer a vague suggestion; it is a concrete compliance requirement. For you, this means your internal training programs cannot be generic “AI 101” courses. They must be tailored to the specific context of the AI tools you are deploying, ensuring your teams can effectively detect bias, interpret outputs, and challenge the machine’s decisions when necessary. The human-in-the-loop must be a competent human.

GDPR and privacy changes: The 96-hour rule and cookies

While the EU AI Act changes are headline-grabbing, the GDPR simplification proposal contained in the Omnibus offers the most immediate tactical relief for your daily operations. The Commission has finally addressed the incident response fatigue that burns out security teams.

The shift to a 96-hour reporting window

For nearly a decade, the 72-hour breach notification rule has been the golden, often grueling, standard. It forced teams to report incomplete information just to beat the clock. The Omnibus proposes extending this window to 96 hours (4 days).

The Omnibus proposal also seeks to align the reporting threshold for Data Protection Authorities (DPAs) with the higher bar currently used for individuals. Under the new text, you would only be legally mandated to report breaches that pose a high risk to individuals’ rights and freedoms.

On the surface, this change appears to “filter out the noise,” allowing your team to focus forensic energy on genuine, high-impact threats rather than administrative paperwork. However, this new latitude comes with a warning label. Privacy experts caution that ‘minor’ is subjective. Narrowing the criteria creates a blind spot where cumulative small-scale breaches could go unnoticed. Therefore, while your reporting volume may drop, your internal logging must remain rigorous to defend against accusations of underreporting later.

Solving cookie consent fatigue

We all know that the accept all banner blindness is real. The Omnibus attacks cookie consent simplification in the EU by proposing two major shifts:

Exemptions: Audience measurement and security cookies may no longer require active consent.

The “Do Not Re-Ask” Rule: If a user rejects consent, you cannot ask them again for six months. This forces a redesign of the user experience. You can no longer nag users into compliance; you must build trust so they want to opt-in.

Codifying the SRB case: A nuanced data definition

Perhaps the most intellectually significant change is the proposal to reflect the Single Resolution Board (SRB) case law within the GDPR’s framework. The text clarifies the boundaries of personal data, suggesting that if an entity holding data cannot reasonably identify the individual—taking into account all objective factors like costs, time, and available technology—it may not be personal data in their specific hands.

However, this is not a loophole; it is a high bar. It validates the relative approach to personal data but attaches strict conditions. To leverage this defense, you must demonstrate robust safeguards that effectively prevent re-identification, such as legal and technical barriers that make obtaining the “key” impossible. If you hold a pseudonymous dataset, you can’t just claim ignorance; you must prove that identifying the individual is practically unfeasible. This potential opening for data sharing and analytics exists, but only if your segregation of duties is legally and technically waterproof.

Streamlining incident reporting (the single entry point)

If you are managing compliance for a multinational, you are likely juggling reports for GDPR, NIS2, DORA, and the Cyber Resilience Act. It is a fragmented mess of portals and forms. The Omnibus proposes a solution that sounds too good to be true: a Single Incident Reporting Entry Point.

Managed by ENISA

The proposal mandates a centralized platform, operated by ENISA (the EU Agency for Cybersecurity), to serve as the clearinghouse for all major digital incident reports.

• Report once, share many: You submit one report regarding a cyber incident.
• Automated triage: The platform routes the relevant data to the DPA (for GDPR), the CSIRT (for NIS2), or the financial regulator (for DORA).

This ENISA incident reporting infrastructure is the technical backbone of the cross-border data enforcement strategy. It eliminates the risk of double jeopardy, where you report to one regulator but forget another, yet it increases transparency between regulators. If you report a breach to the financial regulator, the privacy regulator will know instantly. Your narrative must be consistent across all channels.

What DPOs and Privacy Counsels need to do now

The EU Digital Omnibus Regulation is a proposal with high political momentum. Waiting for the final text to be inked in the Official Journal is a strategy for followers, not leaders. Here is how you can pivot your DPO compliance updates 2026 strategy right now.

1. Don’t pause, pivot

The High-risk AI obligations delay is not a permission slip to stop your AI governance program. If you pause now, you lose momentum. Instead, use this time to deepen your testing. Move from compliance checking to safety engineering. Use the extra 12+ months to stress-test your AI models against the draft harmonized standards. When the deadline finally hits, you won’t just be compliant; you will be unassailable.

2. Review your “small mid-cap” status

Work with your finance and legal teams to determine if you fall under the new “Small Mid-Cap” definition (up to 499 employees, €100M turnover). If you do, your digital legislation compliance burden for the EU AI Act just dropped significantly. Re-evaluate your vendor contracts. If your vendors are SMCs, they might have different obligations than you expected.

3. Update your incident response playbooks

Do not change your official policy to 96 hours yet; the law hasn’t passed. However, draft the “Version 2.0” playbook now.

• Plan for high risk: Define exactly what “high risk” means for your organization to justify not reporting minor breaches under the new rules.
• Prepare for ENISA: Ensure your CISO and Privacy Office are speaking the same language. When the single portal opens, the “security” report and the “privacy” report are the same report. Inconsistencies will be flagged immediately.

4. Audit your data flows for the SRB defense

Look at your data lakes. Are there datasets you treat as personal data simply because someone else has a key? Under the new EU proposals for reducing regulatory burden, you may be able to reclassify that data if you can prove that you have no means of re-identification. This could drastically reduce your GDPR exposure.

Navigating DPO compliance updates 2026 in a new era

The EU Digital Omnibus Proposal is an acknowledgment that the first era of digital regulation (the era of move fast and regulate things) is over. We are entering the era of maturity.

For the privacy professional, this is your moment of ascension. You are no longer the person who says no because of a deadline. You are the strategist who says yes because you understand the landscape. You have the tools, you have the knowledge, and now, you finally have the time.

The EU digital rulebook 2026 is not a cage; it is a framework. And in the right hands, a framework is a ladder.

Are you ready to map these changes to your 2026 budget?

The European Union (EU) has long been a global leader in establishing robust data privacy laws, creating what many refer to as the “Brussels Effect”—a phenomenon where EU regulations influence global standards. For instance, GDPR inspired similar legislation in over 120 countries, demonstrating the EU’s far-reaching impact on international data privacy norms.

With the GDPR setting a high bar for data protection in 2018, the EU continues to shape the future of privacy governance, particularly in the face of burgeoning artificial intelligence (AI) technologies.

This article explores how the GDPR and recent EU laws like the AI Act and Digital Operational Resilience Act (DORA) are advancing the need for comprehensive data governance and privacy, what’s next for AI and data processing, and how to incorporate these developments into your 2025 privacy roadmap.

GDPR and the AI Act: Raising the stakes for data privacy

Since its enforcement in 2018, the GDPR has been the gold standard for data privacy. Its transparency, accountability, and individual rights principles have set a benchmark for global privacy laws. However, the rapid evolution of AI technologies has prompted the EU to establish the AI Act, which went into force in August 2024. This act aims to regulate AI systems based on their risk to individuals’ fundamental rights, health, and safety.

The AI Act employs a tiered, risk-based approach, prohibiting certain high-risk applications like social scoring and real-time biometric identification in public spaces. For high-risk AI systems, the act mandates:

• Risk management systems
• Transparency measures
• Data governance practices
• Human oversight mechanisms

Organizations deploying AI must align these requirements with GDPR obligations, creating a dual compliance framework that demands robust data protection measures and clear documentation of AI system processes.

AI governance: What’s next?

The AI Act introduces timelines for phased compliance, with most provisions taking effect by August 2026. Notable upcoming requirements include:

• AI literacy initiatives to ensure users and developers understand AI risks and benefits.
• Codes of Practice for General Purpose AI (GPAI) to be finalized by May 2025.
• Governance structures for systemic-risk AI models, emphasizing testing, risk assessments, and adversarial evaluations.

Additionally, the EU is exploring supplemental rules to harmonize procedural aspects of the GDPR, potentially improving cross-border enforcement and cooperation among data protection authorities (DPAs).

Want a deeper dive into how these EU developments fit into the bigger global privacy picture? Check out The Data Privacy Professionals’ Guide to Thriving in 2025 for practical strategies that extend beyond borders and get your entire program future-fit.

New frontiers in data governance: The EU Data Act, DORA, and NIS2

The EU Data Act

Effective September 12, 2025, the EU Data Act introduces new rules for data access, sharing, and portability, particularly for connected devices and the Internet of Things (IoT). Unlike the GDPR, which focuses on personal data, the Data Act encompasses both personal and non-personal data, fostering innovation while addressing business-to-business (B2B) and business-to-government (B2G) data sharing.

Key obligations under the Data Act include:

• Providing users access to their generated data: This includes both personal and non-personal data, as well as metadata produced by connected devices, ensuring individuals can retrieve and manage their data.
• Ensuring data portability between service providers: Companies must facilitate seamless data transfers, enabling users to switch providers without data loss or excessive delays.
• Establishing safeguards for intellectual property and trade secrets: Organizations are required to implement protections that balance data accessibility with the need to secure proprietary information and sensitive business details.

The Digital Operational Resilience Act (DORA) and NIS2 Directive

Effective January 17, 2025, DORA targets the financial sector by creating a comprehensive information and communication technology (ICT) risk management framework. Alongside DORA, the NIS2 Directive introduces stringent cybersecurity requirements for essential entities across sectors like energy, healthcare, and transport, significantly broadening the EU’s cybersecurity landscape. It emphasizes:

• Incident reporting within 24 hours of identification.
• Regular resilience testing to assess readiness.
• Stringent third-party risk management.

Failure to comply with DORA or the NIS2 Directive can result in substantial penalties. For example, non-compliance with DORA can result in fines of up to 10 million euros or 2% of annual global turnover, underscoring the financial implications of non-compliance. The NIS2 Directive mandates strict incident reporting within 24 hours and imposes penalties proportionate to the gravity of the cybersecurity breaches, further emphasizing the need for robust frameworks.

Insights from recent papers and opinions

The Hamburg Commissioner’s paper on Large Language Models and Personal Data

This paper highlights a crucial distinction: while large language models (LLMs) process personal data during training, storing such models does not necessarily constitute ongoing data processing under GDPR. This interpretation underscores the need for organizations to demonstrate accountability in training and deploying AI systems.

EDPB Opinion 28/2024 on Processing Personal Data in the Context of AI Models

The European Data Protection Board (EDPB) emphasizes rigorous evaluation of AI systems trained on personal data. To demonstrate compliance, organizations must document every step, including Data Protection Impact Assessments (DPIAs).

CIPL: The Limitations of Consent as a Legal Basis for Data Processing in the Digital Society

The evolving digital landscape challenges the scalability of consent as a lawful basis for data processing. Recent discussions from the Center for Information Policy Leadership (CIPL) suggest that legitimate interest, with safeguards like opt-outs, may offer a more practical alternative for training AI models.

Watch as privacy experts discuss these papers in Data Privacy in the EU: What You Need to Know.

Building your data privacy 2025 roadmap

To remain compliant and competitive, privacy and compliance professionals must proactively adapt to the EU’s evolving legal landscape. Here are critical steps to include in your 2025 roadmap:

1. Enhance data mapping and scoping

While data mapping has been a cornerstone of GDPR compliance, organizations must expand their efforts to include metadata and information generated by AI and connected devices. Identify high-risk AI applications and map their data flows to ensure compliance with GDPR and the AI Act.

Revisit your data inventories to include non-personal data covered under the Data Act. The Data Act’s requirements for data portability and access add layers of complexity to traditional data governance.

2. Strengthen AI governance

Develop and implement policies for AI risk management, transparency, and accountability. Include provisions for human oversight and ethical considerations in AI deployment.

3. Update policies and contracts

Review and update your privacy policies, data-sharing agreements, and third-party contracts to reflect new obligations under the Data Act and DORA.

4. Invest in training

Train your teams on AI literacy and emerging regulatory requirements. Ensure all employees understand their roles in maintaining compliance and mitigating risks.

5. Prepare for regulatory changes

Monitor updates from EU institutions, such as the European Data Protection Board (EDPB), the EU Commission, and individual DPAs. Stay informed about new procedural rules for GDPR enforcement and guidance on AI compliance.

The “Brussels Effect”: A call to action

The EU’s legislative agenda underscores its commitment to safeguarding individual rights while fostering innovation in a digital age. For businesses operating in or engaging with the EU, this means embracing a proactive, governance-driven approach to privacy and AI compliance.

Incorporating the GDPR, AI Act, Data Act, and DORA into your 2025 strategy will help you navigate the complexities of European data privacy laws. This proactive approach ensures compliance and builds a resilient, future-ready organization.

The EU’s regulatory framework may seem like uncharted space, but with the right tools and mindset, you can boldly go where no compliance program has gone before.

GDPR compliance requirements for the U.S.

Enacted by the European Union (EU), the General Data Protection Regulation is often mistakenly thought of as a set of rules that only apply within Europe.

However, this couldn’t be further from the truth. A common question many U.S. businesses have is: Does GDPR apply to us? The answer, in many cases, is yes.

What is GDPR?

The GDPR, or General Data Protection Regulation, is a comprehensive data protection law that came into effect on May 25, 2018. Its primary objective is to safeguard the personal data and privacy of EU citizens, providing individuals with greater control over their data. It imposes strict requirements on how organizations handle personal data, with hefty fines for non-compliance.

To dive deeper into the GDPR, you can explore our comprehensive guide on the GDPR.

Who does GDPR apply to?

Understanding the reach of GDPR is crucial for any organization handling personal data. Essentially, GDPR applies to any organization, regardless of its location, that processes the personal data of individuals residing in the EU. This means GDPR’s scope is extraterritorial, reaching beyond the borders of the EU.

The regulation affects not only EU-based companies but also non-EU entities that offer goods or services to EU residents or monitor their behavior. For a detailed exploration of this topic, you can read the article, Who does GDPR apply to?

How GDPR applies to U.S. businesses

GDPR’s extraterritorial reach means that U.S. businesses are not exempt from its requirements. If your company processes personal data of EU citizens—whether through offering goods or services, employing EU residents, or monitoring EU citizens’ online behavior—your organization is subject to GDPR. This includes:

• E-commerce Platforms: Websites that sell products or services to customers in the EU.
• Service Providers: Companies offering digital services such as SaaS, cloud storage, or marketing solutions to EU clients.
• Multinational Corporations: U.S. companies with subsidiaries or business operations in the EU.

These organizations must ensure they are compliant with GDPR’s regulations, as non-compliance can result in fines of up to €20 million or 4% of the company’s global annual revenue, whichever is higher.

The recent enforcement action from the Dutch DPA on Clearview is an excellent example of how the GDPR applies to the U.S. Clearview argued that the GDPR does not apply to them because they are based in the U.S., however the assertion was rejected as the evidence showed that they processed data of individuals in the EU, including Dutch citizens, thereby falling under the territorial scope of GDPR.

Clearview was fined €30.5 million (USD $33,684,352) for unlawfully collecting and processing biometric data of EU citizens without proper legal grounds; the company failed to comply with access requests, neglected transparency obligations, and did not appoint an EU representative.

GDPR compliance requirements for U.S. businesses

For U.S. businesses, achieving GDPR compliance involves meeting several key requirements:

• Data Protection Principles: Adhering to principles such as lawfulness, fairness, transparency, data minimization, accuracy, storage limitation, and integrity and confidentiality.
• Legal Bases for Processing: Identifying valid grounds for processing personal data, such as consent, contract, legal obligation, vital interests, public task, or legitimate interests.
• Individual Rights: Respecting and facilitating the rights of individuals, including the right to access, rectify, erase, and restrict processing of their data, as well as the right to data portability and to object.
• Data Protection Officers (DPOs): Appointing a DPO if the core activities involve large-scale processing of sensitive data or regular monitoring of individuals.
• Data Protection Impact Assessments (DPIAs): Conducting DPIAs for processing activities that pose high risks to the rights and freedoms of individuals.
• Records of Processing Activities: Keeping detailed records of processing activities involving personal data.

Challenges and solutions for GDPR compliance

U.S. businesses face several challenges when navigating GDPR compliance. These challenges often stem from differences in regulatory environments, the complexity of GDPR requirements, and the technical measures needed to protect personal data.

To overcome these challenges, businesses can implement practical solutions:

• Appointing a Data Protection Officer (DPO): A DPO ensures that the organization complies with GDPR requirements and serves as a point of contact for data subjects and supervisory authorities.
• Employee Training: Regularly training employees on data protection practices and GDPR compliance helps minimize risks and ensure that staff are aware of their responsibilities.
• Using GDPR Compliance Software: Leveraging specialized software can streamline compliance efforts, automate data protection processes, and provide ongoing monitoring and reporting capabilities.

Benefits of GDPR compliance for U.S. businesses

While achieving GDPR compliance can be challenging, the benefits extend far beyond avoiding fines. Complying with GDPR can lead to:

• Enhanced Data Security: Implementing GDPR standards improves overall data protection, reducing the risk of data breaches and cyber-attacks.
• Increased Customer Trust: Demonstrating a commitment to data privacy builds trust with customers, which can enhance brand reputation and loyalty.
• Market Advantage: Being GDPR-compliant can open doors to new business opportunities, particularly in the EU market, where data privacy is a significant concern

Achieve and Maintain GDPR Compliance with TrustArc

Managing the complexities of GDPR compliance can be daunting, but you don’t have to do it alone. TrustArc offers a range of data privacy solutions tailored to help businesses achieve and maintain GDPR compliance. From comprehensive assessments to advanced compliance software, TrustArc provides the tools and expertise needed to protect personal data and ensure regulatory compliance.

Unlocking GDPR compliance: Mastering seven principles of GDPR

High-profile data breaches and growing privacy concerns have led to stringent data protection laws worldwide. And the General Data Protection Regulation (GDPR) stands as the gold standard.

The GDPR establishes rules that not only apply to organizations within the EU but also to those outside the EU that process the personal data of EU citizens. This extra-territorial scope forces compliance from global entities, making GDPR a truly international framework.

But GDPR compliance isn’t just about dodging fines—it’s about building trust, securing your reputation, and embedding data privacy into your company’s DNA. At the heart of GDPR are seven key principles that every organization handling personal data must understand and implement.

Principle 1: Lawfulness, fairness, and transparency

The cornerstone of GDPR, this principle ensures that personal data is handled lawfully, fairly, and transparently. It’s about having a legitimate reason for data processing and being upfront with individuals about how their data is being used. Under GDPR, there are several legal grounds for processing personal data, including consent, performance of a contract, legal obligations, vital interests, public tasks, and legitimate interests.

Imagine a scenario where users eagerly sign up for your service, confident that their data is in safe hands. To uphold this trust, ensure you have a clear legal basis for processing their data. While obtaining informed consent is one approach, it’s not the only one.

For instance, processing might be necessary to fulfill a contract with the user, or it might be required to comply with legal obligations. Whatever the basis, use simple, jargon-free language in your privacy notices so users fully understand how their data will be used. Transparency isn’t just a regulatory checkbox—it’s a trust builder.

Principle 2: Purpose limitation

This principle emphasizes that data should be collected for specific, legitimate purposes and not be used beyond those intentions.

Think of it like this: if you’re collecting email addresses to send out newsletters, stick to that purpose. Avoid the temptation to use those email addresses for unrelated marketing campaigns unless you’ve secured additional consent.

By keeping your data usage purpose-specific, you’re not only complying with GDPR, but also respecting your users’ expectations.

Principle 3: Data minimization

Only collect the data you truly need—nothing more, nothing less. Data minimization is all about being lean with your data collection, gathering only what’s essential for your stated purposes.

Consider a simple registration form—do you really need a user’s home address when an email will suffice? The less data you collect, the lower your risk in case of a breach. But it’s not just about reducing risk—minimizing the data you collect also lowers your overall compliance burden.

Less data means fewer obligations when it comes to storage, access requests, and security measures, which can translate into significant cost savings.

Regularly audit your data collection practices to ensure they align with the principle of minimization. Less is more when it comes to data. It keeps your processes efficient, reduces operating costs, and strengthens your compliance.

Principle 4: Accuracy

GDPR mandates that personal data be accurate and kept up to date, where necessary. Outdated or incorrect data can lead to mistakes that damage trust and violate privacy rights.

Keep your data accurate by empowering users to update their information regularly. For example, offering an easy-to-use online portal where users can edit their details can go a long way.

Regularly reviewing and correcting data errors is essential for maintaining the integrity of your database and the trust of your customers.

Principle 5: Storage limitation

Personal data shouldn’t be kept longer than necessary. Once it has served its purpose, it’s time to securely delete or anonymize it.

Implement clear data retention policies to define how long you’ll keep data and when it will be deleted or anonymized. For example, customer data might be stored for a certain period after the relationship ends, but beyond that, it should either be erased or rendered anonymous so that it can no longer be linked to an individual.

This practice not only reduces the risk of holding onto outdated or irrelevant data but also aligns with GDPR’s strict guidelines on data retention.

Principle 6: Integrity and confidentiality (security)

This principle is all about safeguarding personal data with the right security measures to prevent unauthorized access, loss, or damage.

Imagine the worst-case scenario—a data breach. Now, think of the measures you could have in place to prevent it – encrypt sensitive information, enforce strong access controls, and conduct regular security audits. By prioritizing security, you protect not just the data but the trust your customers have placed in you.

Principle 7: Accountability

Accountability ensures that organizations take full responsibility for GDPR compliance and can demonstrate their adherence to its principles. This principle is not just about following the rules but also about actively showing that you respect and uphold individuals’ rights under GDPR.

To meet this requirement, organizations must document their data processing activities, conduct regular audits, and maintain thorough records of compliance efforts. This includes demonstrating that individuals’ rights—such as the right to access, rectify, and erase their data—are respected and fulfilled.

For instance, having clear procedures in place to respond to data subject requests within the required time frame is crucial. Accountability means being able to prove that your organization is aware of GDPR obligations and committed to protecting individuals’ data rights.

Want to strengthen your proof of compliance? Download the GDPR Accountability Handbook for practical guidance on documenting data processing activities, managing subject rights, and building a defensible, audit-ready privacy program.

Navigating GDPR compliance

Moving through the maze of GDPR compliance can be daunting, but you don’t have to do it alone. TrustArc is here to support your journey with expert guidance and comprehensive data privacy solutions.

Whether you need help implementing the seven GDPR principles or conducting a thorough audit of your current practices, TrustArc has the tools and expertise to ensure your organization remains compliant.

Ready to take your data protection to the next level?

Four years after Brexit, the UK’s data protection laws are being reviewed by the UK Government again – mostly to ensure it can govern data rights in the country under UK law, rather than deferring to EU law.

There is some urgency among UK lawmakers to drive these changes since the Retained EU Law (Revocation and Reform) Act 2023 became law on January 1, 2024, removing some post-Brexit obligations under European Union law as applied to the UK GDPR and UK Data Protection Act.

The UK Department for Science, Innovation and Technology (DSIT) highlighted this change in its draft Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023, published on September 11, 2023.

In its explanatory note accompanying the draft, DSIT stated the regulations will:

• “revoke and replace Article 4(28) of the UK General Data Protection Regulation and section 205(1A) of the Data Protection Act 2018 which relate to the meaning of references to fundamental rights and fundamental freedoms in data protection legislation”; and
• “insert new definitions of fundamental rights and fundamental freedoms into the UK GDPR and DPA 2018 so that after the end of 2023 … [these references] … will be references to rights under the European Convention on Human Rights within the meaning of the Human Rights Act 1998.”

UK Data Protection laws in the 21st century

The UK Government has enforced data privacy and protection under three main sets of laws this century:

1. Privacy and Electronic Communications Regulations 2003, which came into force on December 11, 2003, and focus on data confidentially and the consequences of data breaches.
2. UK General Data Protection Regulation (UK GDPR), which became law on April 27, 2016, a few months after the introduction of the EU General Data Protection Regulation (EU GDPR) and became applicable on January 1, 2021. The UK GDPR mostly reflects fundamental personal data rights covered in the EU GDPR, though narrows their application to UK-based organizations and organizations outside the UK that process UK citizens’ personal data.
3. UK Data Protection Act 2018 (DPA), which replaced the UK’s original DPA (passed in 1988, updated in 1998) and augments UK citizens’ privacy rights under GDPR with stronger rules around specific categories of personal information such as ethnic background, political opinions and health.

Amendments to data protection laws in the UK are being reviewed by Parliament under a proposed bill titled Data Protection and Digital Information Bill (No.2).

Bill to amend UK GDPR intends to ‘cut paperwork’

The UK Parliament’s Data Protection and Digital Information Bill (No.2) is the second recent attempt in the UK Parliament to bring data rights under UK law, rather than EU law.

The original version of the Data Protection and Digital Information Bill was introduced in the House of Commons on July 18, 2022, and stalled for several months.

That proposed Bill was then withdrawn so the updated version could be introduced on March 8, 2023.

Later that day, the UK Information Commissioner Office issued a press release about the Data Protection and Digital Information Bill (No.2) headlined “British Businesses to Save Billions Under New UK Version of GDPR”, with the subheading promising “New data laws to cut down pointless paperwork for businesses and reduce annoying cookie pop-ups”.

While there is a proposal to reduce some requirements for cookie consent pop-ups, the Bill also proposes tougher penalties for ‘nuisance’ calls and texts up to £17.5 million or 4% of global turnover, whichever is greater.

UK Information Commissioner John Edwards said he welcomed the reintroduction of the Bill and supported its ambition “to enable organizations to grow and innovate whilst maintaining high standards of data protection rights”, adding “data protection law needs to give people confidence to share their information to use the products and services that power our economy and society”.

On the later aim – to give people the confidence to share their information – the Bill contains a commitment to establish a digital verification service framework so individuals can more easily and safely prove their identity digitally, and thus speed up their interactions with organizations.

Further amendments to the Data Protection and Digital Information Bill (No.2) were proposed in November and December 2023. Edwards released new commentary on the Bill on December 19, 2023.

He continues to seek changes to the text such as:

• improving several definitions, particularly for activities considered ‘high-risk processing’;
• greater independence for the ICO (“namely removing the Secretary of State approval over statutory ICO codes”);
• updating rules about the ICO’s activities to allow the Office to serve information, enforcement and penalty notices electronically;
• extending the reporting period for personal data breaches under Privacy and Electronic Communications Regulations from 24 to 72 hours (aligned with UK GDPR);
• tightening rules around processing data when used for government audits or investigations of individuals, especially related to tax and social security – Edwards notes stronger safeguards are needed to protect individuals against arbitrary interference with their rights; and
• clarifying rules for businesses responding to subject access requests to reduce ‘vexatious’ requests and organizations only need to run ‘reasonable and proportionate searches’.

Overview of key proposed amendments to UK GDPR

The UK Information Commissioner’s Office media releases state the Data Protection and Digital Information Bill’s proposed amendments to UK data protection laws will “introduce a simple, clear and business-friendly framework that will not be difficult or costly to implement”.

The intents and claims for these amendments are summarized below.

1. Simpler UK GDPR compliance

Proponents of the amendments claim they will ‘cut pointless paperwork’ in current UK data protection laws by giving organizations more flexibility over how they meet compliance requirements. The changes especially target reporting requirements under UK GDPR, which the Information Commissioner’s Officer noted were based on the existing EU GDPR’s “highly prescriptive, top-down approach to data protection regulation which can limit organizations’ flexibility to manage risks and places disproportionate burdens on small businesses.”

However, there is a caveat: organizations will need to appoint a member of senior management as ‘Senior Person Responsible’, a role which effectively replaces the previously required role of Data Protection Officer.

Claimed benefits: organizations will only need to maintain records of processing activities for personal data if those processing activities “pose high risks to individuals’ rights and freedoms”.

2. Continued compliance for international data transfers

The ICO states the reforms are also intended to ensure the UK maintains data adequacy with the EU and build international confidence in the UK’s data protection standards to support “the free flow of personal data between like-minded countries”.

Claimed benefits: businesses operating in the UK that are already compliant with existing UK data laws will be allowed to continue using their existing international data transfer mechanisms to share personal data overseas. The ICO says “This will ensure British businesses do not need to pay more costs or complete new checks to show they’re compliant with the updated rules”.

[See section below: UK-US Data Bridge: International Data Transfer Adequacy]

3. Permitted processing of personal data without consent

Organizations have always had to weigh their interests in collecting personal data against individuals’ privacy rights; the amendments provide some leeway for the collection of personal data if the insights from that data are in the public interest.

Claimed benefits: organizations may collect personal data without needing consent where they can prove collection and sharing of that data is necessary to “prevent crime, safeguard national security or protect vulnerable individuals”.

4. Broader definition of scientific research

The ICO states “current data laws are unclear on how scientists can process personal data for research purposes, which holds them back from completing vital research that can improve the lives of people across the country”. The new Bill proposes an updated definition giving commercial organizations similar freedoms as academics to collect and use/reuse data for scientific research.

Claimed benefits: the Bill proposes reducing paperwork and legal costs for researchers, which the ICO claims will “encourage more scientific research in the commercial sector”. The new Bill contains a non-exhaustive definition of scientific research which remains any processing that “could reasonably be described as scientific and could include activities such as innovative research into technological development”.

5. Safeguards applied to AI

The ICO notes the current data protection laws in the UK are “complex and lack clarity for solely automated decision-making and profiling which makes it difficult for organizations to responsibly use these types of technologies”. The new Bill clarifies rules for businesses using automated decision-making. It includes requirements for businesses to make people aware they may be subject to automated decisions, explain the reason/s for processing, and notify them of their rights, including rights to “challenge and seek human review when those decisions may be inaccurate or harmful”.

Claimed benefits: the ICO says these updated rules will “Increase public and business confidence in AI technologies”, while giving businesses, AI developers, and individuals “greater clarity about when these important safeguards for solely automated decision-making must apply”.

Amendments focused on national security

A UK Government press release published on November 23, 2023, claimed a handful of proposed changes to the Bill “will safeguard the public, prevent fraud, and unlock post-Brexit opportunities”.

The main changes sought by the Government are:

• Access to targeted individuals’ financial activities data – giving government agencies new powers to require data from third parties (such as banks and other financial institutions), which could be used to help identify fraud; and
• Retention of targeted individuals’ biometrics data – allowing national security agencies (such as Counter Terrorism Police) to keep for longer the biometric data of individuals identified by an agency as ‘posing a potential threat to national security’. This update brings retention of biometric data such as fingerprints in line with INTERPOL’s data retention rules.

Although the UK GDPR isn’t being revoked by the Retained EU Law Act, it will be more tightly interpreted through UK case law, rather than EU case law.

In the EU, while each member state can pass legislation permitting some exemptions to personal data rights in cases of national security, the EU GDPR contains stronger safeguards for individual rights versus government organizations’ interests.

The proposed changes to UK data privacy and protection law generally keep many of the UK GDPR’s data protection principles that apply to all organizations processing personal data in the UK.

When the UK GDPR came into effect it carved out greater national security exemptions from some data protection rules around the collection, processing, and use of personal information than those allowed under the EU GDPR.

These carveouts for intelligence services, immigration control, and national security effectively limit personal data rights for citizens when government organizations choose to apply them.

UK-US Data Bridge: International data transfer adequacy

The UK extension to the EU-US Data Privacy Framework came into force on October 12, 2023, which allows certified organizations in the US to transfer the personal data of UK citizens more readily. It replaces previous requirements for safeguards such as international data transfer agreements or contract clauses.

The UK-US Data Bridge was established on September 21, 2023, by the UK Secretary of State for Science, Innovation, and Technology, the Rt Hon Michelle Donelan MP. The Secretary for State also laid adequacy regulations in Parliament, supported by the US Attorney General’s decision on September 18, 2023, to designate the UK as a ‘qualifying state’.

To use the UK-US Data Bridge organizations must prove compliance with UK GDPR rules on the protection of UK citizens’ personal data and gain certification to the Data Privacy Framework (DPF) list.

Demonstrating DPF verification is critical for your global compliance and data transfer mechanisms and includes:

• Privacy-compliant data flows
• Operationalizing data mechanisms for accountability, such as strong privacy notices
• Verified seal to show the organization has met compliance requirements and is committed to protecting personal data and privacy.

Businesses must become significantly more disciplined in how they collect and use data. Excessive data collection is not only inefficient but also introduces legal and reputational risk.

The need for more responsible data practices has been evident for some time. As early as 2017, publications such as The Economist highlighted the growing tension between the rapid expansion of technology companies and increasing public concern over privacy and regulatory oversight.

In response to these concerns, major legislative actions followed. The European Union’s General Data Protection Regulation (GDPR) became enforceable on May 25, 2018. It established comprehensive data rights for individuals, including the right to limit how their data is processed and the right to request its deletion. A foundational principle of GDPR is data minimization—collecting only what is necessary for a specific purpose.

Soon after, California enacted the Consumer Privacy Act (CCPA) on June 28, 2018, with enforcement beginning July 1, 2020. The CCPA introduced similar protections for personal data and became the first U.S. law to explicitly include data minimization as a compliance requirement.

Data minimization requirements in privacy regulations worldwide

While many enforcement actions of privacy regulations focus on privacy breaches and/or misuse of personal information, investigators also look for compliance with data minimization principles, which are now standard in many regulations. These principles were put in place to address data hoarding and focus on:

• Breach exposure minimization – minimizing the amount and detail of any personal information that could be stolen in breach
• Purpose limitations – restricting data collections to information that is provably necessary for stated purposes. Mostly this should mean for the stated purposes of delivering personalized customer experiences
• Consumer consent – limiting collection of personal data only from consumers who have given informed and explicit consent for its collection, processing, sharing, and sale.

Questions to ask about personal data collected by your organization:

• Is it mapped and tracked throughout its lifespan? Can the business quickly identify the locations of each piece of personal information collected and track its use history, including every instance of how it was accessed and processed – and why each activity was necessary?
• Is it adequate? Does the personal data collected contain enough (but not more than enough) information to help your business identify the individual and sufficiently deliver a personalized service (stated purpose)?
• Is it relevant? Is it clear how each piece of personal information is relevant to fulfilling the stated purpose?
• Is it limited to what is necessary? Does the data collection only capture information needed for the stated purpose – and no more than is probably necessary?
• Is it still useful and do you still have permission to store it? Is the information contained in a collection of personal data up-to-date and accurate or has it passed its acceptable and/or permitted use-by date?
• Is it properly secured? Is the data protected by access controls and other cybersecurity measures to prevent unauthorized and unlawful use, or accidental loss or damage?
• Is access controlled based on permissions? Does each data system, staff member, third party, or business partner only have access to the data they are explicitly permitted to access – and only what is adequate, relevant, and necessary for them to fulfill a permitted task (and nothing else)?

EU GDPR made data minimization a key principle

The EU’s GDPR sets a standard for privacy that gives EU citizens strong privacy rights, especially more visibility, and control of how organizations may collect and use their personal information.

Data minimization is listed in GDPR Article 5 as one of seven principles relating to the processing of personal data:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Limited storage periods
• Integrity and confidentiality
• Accountability

The data minimization principle is explained by the European Data Protection Supervisor:

‘The principle of “data minimisation” means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose.

‘They should also retain the data only for as long as is necessary to fulfill that purpose. In other words, data controllers should collect only the personal data they really need, and should keep it only for as long as they need it.

‘The data minimisation principle is expressed in Article 5(1)(c) of the GDPR and Article 4(1)(c) of Regulation (EU) 2018/1725, which provide that personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.’

UK data protection rules on data minimization similar to EU GDPR

The UK Data Protection Act (2018) was updated post-Brexit with a set of UK GDPR rules that closely follow those of the EU GDPR. As a result, UK citizens have stronger personal data and sensitive personal data privacy rights, including more control over how organizations may collect and use their personal data.

The UK GDPR data protection principles match all seven of those listed in the EU GDPR (see above).

The data minimization principle is explained by the UK Information Commissioner’s Office:

You must ensure the personal data you are processing is:

• adequate – sufficient to properly fulfil your stated purpose;
• relevant – has a rational link to that purpose; and
• limited to what is necessary – you do not hold more than you need for that purpose.

Article 5(1)(c) says: “Personal data shall be: (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)”.

So you should identify the minimum amount of personal data you need to fulfil your purpose. You should hold that much information, but no more.’

Data minimization in the United States

In the United States, data minimization is emerging as a common principle across state consumer privacy laws, though its implementation varies widely. Generally, these laws require that businesses limit the collection, use, and retention of personal data to what is reasonably necessary and proportionate to achieve specified purposes.

However, most U.S. laws provide broad flexibility, allowing businesses to define those purposes as long as they are disclosed to consumers. This approach contrasts with more prescriptive models like the EU’s GDPR, which imposes stricter purpose limitations.

Notably, states such as California, Colorado, and Virginia incorporate data minimization as a foundational obligation, but still permit processing for a range of operational needs. Maryland, by contrast, has adopted a narrower standard, restricting data processing to what is necessary for the specific product or service requested by the consumer—signaling a possible shift toward more restrictive U.S. interpretations of data minimization.

Below are summaries of data minimization requirements in two key U.S. states, California and Maryland, which illustrate the varying approaches to this principle.

California

The CCPA, which was amended by the California Privacy Rights Act (CPRA), led the way in the U.S. with the first comprehensive state privacy regulation to give consumers enforceable rights over how – or whether at all – businesses collect, process, store, share or sell personal data.

The amendments under CPRA place more restrictions on collection, storage and use of sensitive personal information, and include data minimization and purpose limitation rules in section 1798.100 ‘General Duties of Businesses that Collect Personal Information’ which accompany requirements for informing consumers of purposes for data collection:

• Additional categories – 1798.100 (a) (1): “A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.”
  (Note: subsection (a) (2) uses practically the same words as the rule above, applying them to ‘sensitive personal information’.)
• Storage period – 1798.100 (a) (3) “The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.”
• Proportionate use – 1798.100 (c) “A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.”

Businesses must also ensure third parties, contractors and commercial partners comply with CCPA rules, including data minimization requirements.

Maryland

Maryland’s data minimization requirements, introduced under the Maryland Online Data Privacy Act of 2024 (MODPA), take a more stringent and prescriptive approach compared to other U.S. consumer privacy laws.

Unlike frameworks such as the CCPA or Colorado Privacy Act, which generally require that personal data collection be limited to what is “reasonably necessary” for disclosed purposes, MODPA mandates that businesses only collect, process, and retain personal data that is “reasonably necessary and proportionate” to provide or maintain a specific product or service requested by the consumer.

This narrower scope restricts the use of personal data for broader business purposes—such as analytics, product improvement, or advertising—unless the consumer has explicitly requested the service that requires such processing. MODPA’s approach reflects a shift toward a more EU-like, purpose-limited model of data governance, elevating the standard for necessity and limiting the discretion businesses typically have under other U.S. laws.

For a closer look at MODPA’s unique provisions and how they compare to other U.S. state laws, read our overview of Maryland’s Online Data Privacy Act’s Novel Approach to Consumer Privacy.

Data minimization is no longer optional

From the EU’s GDPR to California’s CCPA and Maryland’s MODPA, one principle is increasingly consistent: collect less, prove purpose, and protect what you process. Data minimization is a strategic imperative that aligns privacy, security, and efficiency.

For privacy professionals, this means moving beyond awareness into operational excellence. Mapping data lifecycles, documenting necessity, and embedding minimization logic into product and service design aren’t just best practices—they’re risk reducers and trust builders. As more jurisdictions sharpen their stance on what’s “reasonably necessary,” organizations that over-collect or under-document may find themselves on the wrong side of enforcement and public sentiment.

Now is the time to treat data like a critical resource, not a limitless asset. Ask hard questions. Trim the excess. Architect for purpose. Because when less is truly more, your privacy program is doing its job.