EU announces plans to include GDPR in simplification efforts: what do European startups actually need?

During yesterday's interview with the Center for Strategic and International Studies, European Commissioner for Democracy, Justice, the Rule of Law, and Consumer Protection, Michael McGrath, announced that the upcoming Omnibus Simplification Initiative will also include the General Data Protection Regulation (GDPR).

European startups, particularly data-driven startups, have been vocal about GDPR being a major challenge for their growth and operations. While most don’t oppose the concept of European data privacy per se, concerns remain over data subject access rights, lack of regulatory support, overly broad definition of personal data, and complicated reporting requirements.

The simplification initiative is unlikely to challenge the essence of the GDPR, including the scope of personal data and other core aspects. It will likely focus on reporting requirements only and perhaps touch upon issues of harmonization - another aspect that was outlined in Ursula von der Leyen's mission letter to Henna Virkkunen almost a year ago:

“To ensure a level playing field across the Single Market, as well as fight fragmentation and gold plating, the Commission will pursue a forceful approach to full harmonisation and enforcement. In addition to work on simplifying record-keeping under the General Data Protection Regulation, the Commission will
continue work on its more harmonised implementation and enforcement”

However, the EU should consider expanding the discussion on the GDPR to better support European innovators in these challenging times.

GDPR-related recommendations from CEE startups

Last year, Consumer Choice Center Europe conducted a survey among Central and Eastern European (CEE) startups on the EU’s data strategy regulations, including GDPR, DSA, DMA, AI Act, and more.

Here's what CEE startups had to say about the GDPR:

1. GDPR remains the biggest compliance hurdle for startups.
2. Lack of harmonized enforcement across 27 Member States makes it difficult for innovative companies to navigate the rules efficiently.
3. Startups need more simplicity in regulation and reporting. CEE startups emphasized the need for clearer guidelines and simplified reporting requirements to reduce administrative burdens.
4. A ‘one-stop shop’ is needed among national regulators. Many startups called for either a single agency or better coordination between regulators to clarify EU data compliance requirements. Some also suggested digital tools, possibly AI-powered, to streamline the compliance process.
5. Better cooperation is needed between EU and national regulators. Startups see this as crucial for creating consistent and coherent regulations across jurisdictions, supporting the move toward a Single Digital Market through practical, coordinated measures.
6. More regulatory support is expected from national authorities. Startups want practical recommendations, good practice examples, regulatory sandboxes, checklists, and other tools to help them navigate GDPR while ensuring compliance.
7. Calls to narrow the scope of personal data. Many startups believe that treating almost all data as personal data makes its practical use for product development nearly impossible.
8. Requests to rebalance data subjects' access rights. Some respondents argued that the right to access data is too absolute, with local privacy bodies requesting access to sensitive trade secrets, which could jeopardize business continuity.