GDPR has shaped the way organizations handle personal data across Europe for years, yet conversations on how to refine and future-proof the framework continue. At Empowering Privacy Germany, a panel of experts explored what works well in practice, where challenges remain, and how potential reforms could strengthen data protection and make it easier to manage.
The discussion covered a wide spectrum, from the everyday challenges businesses face to the role of supervisory authorities and the evolving responsibilities of Data Protection Officers (DPOs). The result was an open and constructive exchange that gives privacy professionals fresh perspectives on the future of European data protection. Read on for insights from the experts to share with your team.
The panel featured:
- Simon Weidler, EMEA Policy Manager Privacy & Data Regulation at Meta
- Michael Will, President of the Bavarian Data Protection Authority
- Dr. Stefan Brink, Executive Director at wida; former State Data Protection Commissioner
- Prof. Dr. Boris Paal, Full Professor of Law & Digital Transformation at the Technical University of Munich
- Isabelle Stroot, Policy Officer for Data Privacy at Bitkom
- Dr. Frank Schemmel, Senior Director Privacy, Compliance & Public Affairs at DataGuard
The practical challenges of GDPR
The session began with a look at the pressure the GDPR puts on organizations, with panelists from business, academia, and supervisory authorities each bringing their perspective on where the challenges lie.
Isabelle Stroot emphasized that it’s not only small and medium-sized businesses that are feeling the strain. Large companies also face significant challenges, with the effort required for compliance increasing continuously. She argued that a risk-based approach could help ease this load by aligning requirements with the actual level of risk.
Dr. Frank Schemmel highlighted gaps in how the GDPR is interpreted and enforced. He explained that telecommunications secrecy no longer reflects today’s reality and is applied differently by authorities. Video surveillance is another area where the rules remain unclear, and the GDPR lacks to offer clear guidance, leaving organizations uncertain about what is permitted.
From the supervisory side, Michael Will shared that around 8,000 complaints are received each year, but questioned how many of them truly help strengthen data protection. However, he warned against abandoning requirements like records of processing activities, arguing that these remain essential for organizations to understand their own data handling.
For Dr. Stefan Brink, the issues are systemic. He argued that the GDPR has carried forward flaws from earlier decades and is sometimes unbalanced, pointing to Article 15—the right of access to personal data—as one example. Uncertainty stems from the open-ended nature of Article 15 GDPR: the right of access is fundamental but lacks precise limits. The law requires a contextual, case-by-case assessment with competing obligations (transparency vs. proportionality vs. third-party rights).
Brink also questioned whether the role of supervisory authorities has been clearly defined, suggesting that more emphasis on guidance and advice could improve outcomes for individuals. Above all, he saw the need for a stronger risk-based approach that differentiates personal data according to its criticality and simplifies compliance overall.
Shaping GDPR: more balance, less burden
After outlining the main challenges, the panel turned to possible solutions. Prof. Dr. Boris Paal emphasized that while the GDPR leaves room for interpretation, reforms are necessary to address the existing gaps. He argued that when rights under the GDPR collide, they should be assessed in relation to each other with proportionality in mind.
As an example, he proposed adding an explicit reference in Article 5, which outlines the core principles for processing personal data, to the need for balancing this with other fundamental rights.
Paal also suggested that Article 15 GDPR, granting individuals the right to access their personal data, should give more consideration to the position of data controllers. Taken together, these points reflected his view that the GDPR requires targeted refinements rather than radical change.
Future of data protection: A unified authority?
Michael Will cautioned against broad reforms, emphasizing that the bundling of supervisory authorities should not proceed without thorough analysis. He argued that discussions should be based on clear assessments of advantages and disadvantages rather than assumptions. He also pointed out that Germany’s federal system means two categories of supervisory authorities will exist for now, which makes centralization less straightforward than it might seem.
Expanding on this, Dr. Stefan Brink explained that “bundling” oversight could mean different things:
- centralizing authority at the federal level,
- consolidating expertise around specific areas like AI or automotive,
- or creating a service hub at the federal level to support regional bodies.
What matters most, he stressed, is defining the purpose of bundling before pursuing it.
The evolving role of the DPO
Debating the future of the GDPR inevitably brings up the question of how the role of the Data Protection Officer is evolving. Dr. Frank Schemmel argued for a shift toward flexibility and risk management. Instead of needing to master every niche area of expertise, the DPO should ensure a baseline level of protection and act as a risk manager, drawing on external specialists when necessary.
This evolution is particularly relevant for smaller organizations that lack internal resources. For them, the DPO can provide essential expertise while also serving as a point of contact for broader topics, such as the EU AI Act and the Data Act. In this view, the DPO is not only a guardian of privacy but also a guide through the wider landscape of digital regulation.
Reform priorities from different angles
From their different perspectives, the panelists shared their priorities for reform:
- Prof. Dr. Boris Paal: Strengthen proportionality and make the balance of fundamental rights more explicit
- Dr. Stefan Brink: Put greater emphasis on risk-based approaches, improve cooperation among supervisory authorities, and make proceedings more transparent
- Isabelle Stroot: Aim for small, targeted changes with significant impact, while distinguishing between EU-level and Germany-specific issues
- Michael Will: Deliver on the original promise of the GDPR by creating specific regulations, for example, in AI processing
- Dr. Frank Schemmel: Move Recital 4 into the main body of the regulation to guide court interpretations, remove Article 26, and apply Article 15 purpose-based. He warned against its misuse for employment-related information requests, which can lead to disproportionate costs and go beyond what the provision was designed for
Looking ahead: measured adjustments over radical change
The panel’s reflections indicated that the GDPR remains a robust framework, but one that needs to evolve. Both organizations and regulators are under pressure, and reforms could help ease that strain while maintaining strong protections.
A recurring theme was the call for a risk-based approach, aligning obligations with the sensitivity and impact of the personal data in question. This stood out as the most promising way forward.
The takeaway was clear: the GDPR does not require radical change, but rather careful adjustments that reflect today’s realities. It has laid a solid foundation, and the task now is to refine it, so it continues to protect individuals while staying workable for organizations.
Would you like to get more insights like these from privacy experts? Sign up for our newsletter and get the latest perspectives and takeaways delivered straight to your inbox.
.jpg?width=250&height=130&name=DataGuard%20epp%20event-27%20(1).jpg)
.jpg?width=250&height=130&name=DataGuard%20epp%20event-78%20(1).jpg)
_EasiestSetup_EaseOfSetup.svg?width=200&height=200&name=ConsentManagementPlatform(CMP)_EasiestSetup_EaseOfSetup.svg)