What the Commission Has Actually Proposed

On 19 November 2025 the European Commission published the Digital Omnibus, a package that would amend the GDPR alongside the ePrivacy rules, the Data Act, and other digital law. It is the first substantial attempt to revise the GDPR since the regulation took effect in May 2018. The stated aim is simplification: fewer administrative obligations for lower-risk processing, clearer definitions, and a single point for reporting incidents across several EU instruments.

Several changes matter to an owner-run business. The duty to appoint a Data Protection Officer would be narrowed, so fewer companies would be obliged to designate one. The definition of personal data would be clarified, with particular attention to pseudonymised data, so that information may not count as personal for a company that has no reasonable means to identify the individual behind it. The exemption from keeping records of processing would rise toward larger headcounts, and breach notification would move from a 72-hour to a 96-hour window and apply only where the risk to people is high.

Why This Is a Proposal and Not the Law

None of this is in force. The Digital Omnibus is a draft regulation that has entered the ordinary EU legislative procedure, which means it must be negotiated and agreed by the European Parliament and the Council of the European Union before it can be adopted. Texts that enter this process are routinely amended, and parts of this one are already being reworked. On current timelines, final adoption is expected no earlier than late 2026 or 2027, and any new obligations would then carry their own transition dates.

The reform is also contested by the institutions that supervise data protection. In a joint opinion on 11 February 2026, the European Data Protection Board and the European Data Protection Supervisor welcomed some of the simplification, including the lighter breach-notification regime, while strongly opposing the narrower definition of personal data and the power it would give the Commission to decide by implementing act what counts as personal data after pseudonymisation. That disagreement is a clear signal that the final wording is not yet settled.

What an Owner Should Do Now

The error in both directions is easy to make. One is to ignore the reform entirely and be caught unprepared when the obligations finally change. The other, more costly, is to start dismantling your data-protection setup now on the strength of a proposal: standing down a Data Protection Officer, deleting records, or relaxing breach procedures while the current GDPR remains fully in force and fully enforceable. Until adoption, today's rules apply in full, and the supervisory authorities can still act on them.

The measured response is to track the file and plan against it, not to act on it. Note which of your current obligations would ease if the proposal passes in something like its present form, and where the change would actually reduce real cost or risk for your business. Keep your present compliance intact, watch the Parliament and Council stages and the supervisory opinions, and be ready to move quickly once a final text and its transition dates are known. Disciplined readiness costs little. Premature dismantling exposes you for a benefit that does not yet exist.