Quote from Alex bobby on July 25, 2025, 5:19 AM

Denmark Pushes for GDPR Simplification: Why Scaleups Must Not Be Left Behind

This week, in a notable move toward regulatory modernisation, European Justice Ministers gathered in Copenhagen under the Danish Presidency of the Council of the European Union to discuss targeted simplifications to the General Data Protection Regulation (GDPR). While a full overhaul of the landmark privacy law remains off the table, Denmark is leading the charge for sensible changes—particularly those aimed at reducing the administrative burden for businesses. But in all this effort, one thing must be clear: scaleups must not be forgotten.

GDPR: A Regulatory Milestone with Growing Pains

Since its implementation in 2018, the GDPR has stood as a gold standard in data privacy, often cited globally for its rigorous protection of personal data. However, as years have passed, its rigid interpretation and bureaucratic overhead have become points of contention—especially for small and medium-sized enterprises (SMEs) and Europe’s rapidly growing scaleups. For these businesses, GDPR compliance often requires disproportionate resources and legal acrobatics that divert energy from innovation and expansion.

The informal Copenhagen meeting has made it evident that concerns over the GDPR are no longer siloed within industry circles. Justice Ministers themselves now acknowledge that the regulation, while crucial, needs a more flexible and user-friendly framework if Europe is to remain globally competitive.

A Shift in Tone: Justice Ministers Embrace Reform

Denmark’s Minister for Justice, Peter Hummelgaard, made it clear during the meeting that GDPR reform is a priority under Denmark’s leadership of the EU Council. Referencing the influential Draghi report on European competitiveness, Hummelgaard argued that modernizing GDPR is a key step toward addressing structural regulatory burdens.

Echoing these sentiments were other ministers, including Latvia’s Inese Lībiņa-Egnere and Belgium’s Annelies Verlinden. Both highlighted the need to make data protection simpler and less bureaucratic—especially for businesses that lack the in-house resources of multinational corporations.

The Commission’s Stance: Simplification, Not Overhaul

Michael McGrath, the European Commissioner responsible for the GDPR review, remains cautious. He emphasised that the European Commission is not pursuing a dramatic reopening of the regulation. Instead, the Commission is championing targeted adjustments, particularly aimed at easing compliance for organisations with fewer than 750 employees. Earlier proposals already suggest lighter record-keeping for SMEs and small mid-caps, a move welcomed by many.

However, feedback gathered during recent stakeholder dialogues underscores a broader frustration—not just with the rules themselves, but with how they are interpreted and applied by national Data Protection Authorities (DPAs). There’s an urgent call for consistent application across Member States, stronger guidance from regulators, and streamlined collaboration between key data policy initiatives, such as the Open Data Directive and the Data Act.

Denmark’s Proposal: Smart, Sensible—But Needs Broader Reach

At the heart of Denmark’s push is a "non-paper" outlining several business-friendly GDPR changes. These include:

1. Setting minimum thresholds for when data subject rights apply, reducing frivolous or burdensome requests.
2. Granting flexibility to SMEs in cases of low-risk data processing.
3. Clarifying and potentially exempting some SMEs from complex Data Protection Impact Assessments (DPIAs).
4. Introducing a requirement that individuals contact companies first before lodging complaints with DPAs, thereby reducing regulator workload and promoting faster resolutions.

These proposals are thoughtful and necessary. But there’s a catch: they risk being limited to the traditional definition of SMEs—businesses with fewer than 250 employees and less than €50 million in annual turnover.

Why Scaleups Matter

Europe's scaleups—high-growth firms that have outgrown the SME label but are not yet corporate giants—are a critical engine of economic and technological progress. These businesses are often the ones pushing the boundaries of digital services, AI, biotech, and data-driven innovation. Yet, they face the same bureaucratic load as multinational firms when it comes to GDPR compliance, without having the same legal or financial muscle.

If GDPR simplification efforts stop at SMEs, they risk sidelining the very companies that Europe’s future competitiveness hinges on. The previous GDPR simplification omnibus took a more inclusive approach by extending relief to companies with fewer than 750 employees. That precedent should be preserved—and expanded.

Scaleups already contend with multiple challenges: rigid interpretations of what constitutes personal data, inconsistent enforcement across EU states, public institutions hesitant to share data, and risk-averse private partners. Failing to accommodate their needs in the GDPR simplification process would be a strategic misstep.

A Call for Balance: Simplification Without Compromise

No one is arguing to dismantle the privacy protections that make the GDPR a global model. But the conversation now must shift toward nuance. A one-size-fits-all regulatory approach, however principled, cannot keep pace with a diverse and fast-moving digital economy.

Simplifying the GDPR for SMEs and scaleups is not about weakening data rights. It's about ensuring that compliance mechanisms are proportionate, clear, and fit-for-purpose—especially for companies on the frontline of innovation.

As the Danish Presidency advances these proposals, Europe must seize the moment to strike a smarter balance between privacy protection and business growth. And in doing so, it must remember that supporting those who can scale is just as important as protecting those who are small.

Looking Forward: A GDPR Fit for Europe's Digital Future

As the European Commission prepares to unveil its GDPR simplification proposals later this year, all eyes will be on how far it is willing to go—not just in rhetoric, but in regulatory relief. Denmark’s proactive stance offers a blueprint for pragmatic reform, but the real test will be whether these efforts extend beyond SMEs to embrace Europe’s scaleups—the very companies with the potential to become tomorrow’s tech champions.

A data-driven economy cannot thrive under outdated compliance models. The future of GDPR must be one where privacy protection and business innovation go hand in hand. Simplification, clarity, and proportionality will be key. But above all, the EU must ensure that no high-growth company is left behind in its quest to balance competitiveness with core values.

Now is the time to modernise—not weaken—the GDPR. And that begins with remembering that small businesses matter, but scalable businesses build the future.

Conclusion

The conversation around GDPR reform is no longer just about compliance—it’s about competitiveness, innovation, and Europe’s digital future. Denmark’s leadership in pushing for targeted simplification is a welcome step, particularly for businesses burdened by complex rules and inconsistent enforcement.

But to truly unlock the potential of the European data economy, reforms must go beyond traditional SMEs. Scaleups—those high-growth firms that are outgrowing small status but not yet giants—need to be at the centre of this agenda. Excluding them from simplification efforts would risk stifling the very innovation Europe is trying to foster.

A smarter, more flexible GDPR doesn't mean compromising on privacy. It means building a regulatory environment that protects individuals while empowering companies to grow, compete, and lead. The EU must seize this opportunity to craft a more inclusive and forward-looking framework—one that recognises that safeguarding data and scaling innovation must go hand in hand.

Meta Description

Denmark is leading a push to simplify the EU's GDPR rules, aiming to reduce burdens for SMEs and scaleups. As reforms take shape, experts warn: don’t leave high-growth companies behind.