EU Digital Omnibus: What Data Protection Officers Need to Know About EU GDPR Changes

What exactly has the EU proposed?

On 19 November 2025, the Commission unveiled a digital simplification agenda with the Digital Omnibus and a complementary AI Omnibus. At a high level, the package promises to:

• Harmonise and clarify GDPR obligations (e.g., definitions, lawful bases for AI‑related processing, cookie rules), while asserting that core protections remain intact. [commission.europa.eu]
• Modernise cookie consent: shifting toward fewer banners, potential browser‑level preference signals, and limited consent exemptions (e.g., audience measurement), still within a GDPR framework. [jdsupra.com], [mwe.com]
• Streamline breach reporting: extend the authority notification deadline (proposed change from 72 to 96 hours) and provide a single entry point and template across GDPR, NIS2, and DORA. [jdsupra.com]
• Clarify “personal data” and pseudonymisation: codifying a relative approach whereby data may be non‑personal for an entity that cannot reasonably identify a person, with implementing criteria empowered to the Commission. [mwe.com]
• Support AI innovation: delay high‑risk AI obligations until tools and standards are ready (potentially to December 2027); expand SME simplifications and sandboxes; and centralise oversight in the EU AI Office.

Proponents stress competitiveness and cutting red tape; estimated EU‑wide administrative savings could reach €5 billion by 2029. [commission.europa.eu]

But there’s vigorous debate. Privacy advocates (e.g., noyb) and several MEPs argue that redefining personal data, enlarging legitimate interests for AI training, and reducing friction around cookies may weaken rights. Coverage by IAPP, JD Supra, and international outlets has spotlighted this push‑and‑pull between innovation and rights.

What’s already in force in the UK (DUAA 2025)?

The UK’s Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025 and is now phasing in changes to UK GDPR, the Data Protection Act 2018, and PECR through staged commencement. The government and ICO highlight:

• Automated Decision‑Making (ADM): more permissive framework for solely automated decisions with legal/similarly significant effects—with mandatory safeguards like transparency, human intervention, and challenge mechanisms. [gov.uk], [ico.org.uk]
• Subject Access Requests (DSARs): clearer “reasonable and proportionate” search standard and practical tools (e.g., stop‑the‑clock for clarifying requests). [gov.uk]
• Cookies: limited new scenarios where consent isn’t required for certain low‑risk cookies (e.g., analytics/functionality), aligning practice with long‑standing ICO guidance. [gtlaw.com], [ico.org.uk]
• Recognised legitimate interests: a new lawful basis for specified purposes (e.g., fraud prevention, public security), reducing the need for a balancing test in those enumerated cases—timings and annex conditions matter, so watch commencement regulations. [trowers.com]
• ICO remit and approach: the ICO has published guidance and timetables for staged enforcement and compliance, signalling proportionate regulation during the transition. [ico.org.uk], [gov.uk]

The UK frames DUAA as modernisation to help organisations innovate while maintaining strong standards. Guidance hubs on GOV.UK and the ICO provide practical summaries and commencement schedules. [gov.uk], [ico.org.uk]

What it means for a Data Protection Officer (DPO)

1) Governance redesign in a two‑regime world

If you operate across the EU and UK, you now face converging but distinct regimes: the EU’s proposed simplification (Digital Omnibus) versus the UK’s enacted DUAA changes. As a Data Protection Officer, you should maintain a dual‑track compliance map, what’s mandatory in the UK today versus what’s proposed or likely to change in the EU over the next 12–24 months. [commission.europa.eu], [gov.uk]

2) Lawful bases for AI and analytics

• EU: expect greater clarity on using legitimate interests for AI development and operation, with documented balancing tests, minimisation, opt‑out pathways, and controls for residual disclosures. Final wording is likely to evolve through negotiations. [jdsupra.com]
• UK: recognised legitimate interests offer targeted shortcuts for specified purposes, but don’t substitute core DPIA requirements where risk is high. Update privacy notices and records of processing when you rely on them. [trowers.com]

3) Cookies and consent experience

• EU: anticipate fewer banners, browser‑level controls, and a harmonised approach under GDPR. Plan now for consent‑management platforms (CMPs) that can honour machine‑readable preference signals. [jdsupra.com], [mwe.com]
• UK: clarify which cookies fall into DUAA’s low‑risk consent exemptions and document your rationale. The ICO expects proportionate, transparent practices and continued respect for PECR. [ico.org.uk]

4) Incident reporting and breach response

• EU: prepare to consolidate reporting via a single entry point and align on the proposed 96‑hour threshold for supervisory notifications. Harmonised templates will reduce duplication with NIS2/DORA. [jdsupra.com]
• UK: maintain your current breach procedures, but watch ICO updates for alignment on thresholds and templates; DUAA also tightens regulator powers and complaints handling. [gov.uk]

5) Data classification and pseudonymisation

EU debates around when data ceases to be “personal” (relative identifiability) will matter for analytics and R&D. DPOs should pre‑empt by documenting identifiability assessments, legal constraints, and technical measures (e.g., tokenisation, key controls). [mwe.com]

Critics’ perspective and your risk posture

Advocacy groups and some legislators fear the EU’s proposals redefine personal data too narrowly, ease AI training with insufficient consent mechanisms, and downgrade cookie protections. They warn of a “rollback” in fundamental rights and a tilt towards Big Tech interests. Regardless of their final form, these critiques mean regulators and courts will scrutinise implementations closely. As a DPO, adopt a conservative interpretation until the texts are settled, and maintain robust transparency and opt‑out tooling. [dw.com], [theconversation.com]

What you should do now (EU & UK)

1) Map your exposure and readiness (30–60 days)

• Build a register of impacts for EU proposals vs UK DUAA across: lawful bases for AI, cookies, DSARs, ADM, and breach notification. Tag each item by EU proposed / UK in‑force status with target dates.

2) Refresh your DPIA and LIA toolkit

• For the EU, update templates to capture AI‑related legitimate interests balancing, minimisation, opt‑out processes, and data leakage controls.
• For the UK, add recognised legitimate interests routes where applicable (e.g., fraud prevention), and keep records showing necessity and scope.

3) Re‑engineer your cookie experience

• Prepare CMP integrations that can respect browser‑level signals and one‑click choices across the EU, while maintaining DUAA‑compatible low‑risk exemptions in the UK. Document purpose categories and retention.

4) Standardise breach reporting workflows

• Design forward‑compatible processes and forms that line up with the EU’s single-entry model and 96‑hour threshold, while preserving UK reporting timetables. Run tabletop exercises to test cross‑border scenarios. 

5) Tighten pseudonymisation and identifiability logs

• Implement technical controls and risk‑based assessments that demonstrate why certain datasets are non‑personal for your entity; anticipate audit trails for regulators.

6) Update DSAR playbooks and ADM governance (UK)

• Embed reasonable and proportionate search practices and stop‑the‑clock mechanisms. For ADM, verify safeguards (human review, appeal, explanations) and record decisions. Train frontline teams accordingly. 

7) Monitor guidance continuously

Track ICO commencement and sector codes, and the EU parliamentary process and EDPB opinions. Expect iterative clarifications. 

The role of the Data Protection Officer (DPO) in 2026 planning

• DPOs should position themselves as strategy enablers, not just compliance gatekeepers:

  • Policy Integration: Align EU GDPR and UK GDPR playbooks into a global privacy operating model that anticipates divergence without duplicating effort. [commission.europa.eu], [gov.uk]
  • Risk‑first AI governance: Pair legal bases with model risk assessments, privacy‑by‑design controls, and independent model cards documenting data sources, minimisation, and fairness testing. [iapp.org]
  • Transparent UX: Make consent meaningful. Even with fewer banners, provide plain‑language notices, easy preference tools, and privacy dashboards for individuals. [mwe.com]
  • Incident readiness: Build a single intake pipeline for security and privacy incidents that can route to EU or UK requirements, reducing confusion during crises. [jdsupra.com]

Simplification without complacency

The EU’s Digital Omnibus and the UK’s DUAA 2025 are both billed as simplifications. For privacy leaders, that should translate into better tooling and clearer pathways, not weaker controls. Use this moment to modernise your governance stack: sharpen lawful basis records, rationalise consent experiences, and rehearse harmonised incident reporting. Done right, your Data Protection Officer becomes a catalyst for trust and AI‑ready innovation, meeting the letter and spirit of EU GDPR and UK GDPR as they evolve.

Contact us if you would like to learn how GRC Hub can support your organisation with GDPR or act as your Data Protection Officer.