Seven years on from GDPR

Nader Henein at Gartner asks whether simplification will ease business burdens or stir new challenges

 

The General Data Protection Regulation (GDPR) didn’t just raise the bar for privacy; it became the global benchmark. Since coming into force in 2018, GDPR has inspired legislation across more than 140 jurisdictions, anchoring a global movement around personal data rights.

 

Seven years on, as the European Commission proposes to simplify the regulation, especially to help small and medium-sized enterprises (SMEs), business and IT leaders face a critical inflexion point. 

 

Will simplification provide meaningful relief? Or will it introduce new uncertainty in an already complex compliance landscape?

 

 

A welcome change, but with conditions 

The Commission’s objective is clear: reduce administrative burdens, streamline reporting, and clarify obligations, particularly around documentation, recordkeeping and impact assessments. For SMEs that often lack in-house legal or privacy expertise, this initiative could feel like long-overdue relief.

 

Yet the risks are equally real. Without harmonised guidance across EU member states, simplification could lead to inconsistent interpretations, potentially increasing, not reducing, compliance challenges. Gartner forecasts a tenfold increase in fines for mismanagement of subject rights by 2026. In that context, even small oversights could prove costly.

 

Simplification must not come at the expense of clarity. If businesses are to benefit, they’ll need more than fewer forms—they’ll need a firmer understanding of where accountability begins and ends.

 

 

Fuelling innovation while protecting privacy

The timing of simplification efforts is no coincidence. Organisations are facing mounting pressure to integrate technologies like artificial intelligence (AI) and machine learning into business operations, but AI is also introducing new and unpredictable risks to personal data.

 

Gartner estimates that by  2027, over 40% of privacy violations will result from the improper use of AI, particularly where data flows across borders without appropriate safeguards. The EU’s forthcoming AI Act builds on GDPR, requiring companies to integrate privacy into AI systems from the outset. 

 

Italy’s 2023 ban on ChatGPT, triggered by concerns over unlawful data collection and lack of age verification for users, illustrates the intensity of regulatory scrutiny. The Italian Data Protection Authority demanded that OpenAI address these issues before lifting the ban, signalling that non-compliance can lead to swift operational halts. 

 

Such actions highlight the seriousness of enforcement, with hefty fines and business disruptions awaiting those who fail to align with privacy standards.

 

Simplification could help organisations reallocate compliance resources to meet these emerging demands. But if simplification is misinterpreted as “less responsibility”, the consequences will be severe—both in regulatory action and reputational damage. 

 

 

Navigating a global maze of rules

GDPR may be Europe’s law, but its influence is global. The United States continues to expand state-level regulations like California’s CPRA. China’s PIPL introduces strict cross-border data controls. India’s new data law, while modelled on GDPR, remains unenforced due to the absence of a regulator.

 

For global organisations, simplification could offer a strategic advantage—if it results in a clearer compliance path in Europe, they may be able to use GDPR as the anchor standard for privacy governance worldwide. That said, this only works if the revised GDPR remains comprehensive. Incomplete simplification may require businesses to maintain overlapping privacy controls to meet the strictest international laws

 

 

Staying competitive in a changing world

The EU’s rigorous privacy standards position it as a global leader, but can place businesses at a disadvantage compared to regions with more lenient rules, like the US. Emerging technologies, such as quantum computing, may soon escalate data protection costs, prompting companies to reconsider their approaches to handling personal data. 

 

Simplification could provide SMEs with a competitive edge by reducing compliance expenses, but larger organisations face the challenge of managing diverse global regulations. Investing in robust, adaptable privacy strategies will be crucial to staying ahead, even as smaller businesses stretch their resources to keep pace.

 

 

What businesses should do 

To turn simplification into success, businesses should: 

• Map and audit data flows, particularly where AI is used to process personal information or where data crosses borders.
• Invest in privacy-enhancing technologies (PETs) to reduce risk and lower compliance overhead.
• Build compliance programmes around the strictest global frameworks (such as GDPR and CPRA) to simplify cross-border operations.
• Engage with regulators to help shape practical, sector-specific guidance that ensures simplification does not dilute protections. 

 

Clarity over complexity 

Simplifying GDPR could be transformative—but only if it results in greater clarity, not just less paperwork. In a world where AI is reshaping how data is collected, analysed and monetised, privacy can no longer be seen as a checklist. It must become a strategic capability.

 

Done well, simplification can help organisations shift from reactive compliance to proactive trust-building. But without precision, the risk is not simplification—it’s oversimplification. 

 

---

 

Nader Henein is VP Analyst at Gartner. Gartner analysts will dive deeper into privacy and regulation priorities and trends at the IT Symposium/Xpo in Barcelona, taking place from 10-13 November 2025.

 

Main image courtesy of iStockPhoto.com and Vertigo3d