Digital Omnibus, Personal Data Changes and What They Mean for You

Episode 227 of the Data Protection Made Easy Podcast hosted by experts at Data Protection People. This episode was hosted live via Microsoft Teams in front of a live audience of listeners.

What We Covered in This Session

A Catch Up from Caine and Catarina

The episode opens with a look at what the team have been working on. Catarina reflects on a very busy week supporting a major client project alongside her team. Caine shares updates on ongoing STAIRs sessions for social housing providers and hints at an in person STAIRs event coming soon.

Both hosts also discuss their guest appearance on another organisation’s podcast where they explored how users understand privacy information, how organisations communicate their obligations and why cross functional training is so important.

The Digital Omnibus Package Explained

The main focus of the episode is the European Commission’s Digital Omnibus package, announced on 19 November. The discussion highlights several of the most significant proposals, including:

1. A New Approach to Personal Data

The proposal introduces a major shift. Information would be classed as personal data only if the controller has means reasonably likely to identify the individual.
The team explore:

• how this could narrow the scope of personal data
• what this means for indirect identifiers and pseudonymised data
• how case law from Europe is already pushing towards this direction
• how this might affect UK organisations if mirrored in future reforms

2. Changes to Data Breach Reporting

Catarina outlines proposals that:

• raise the threshold so only high risk breaches need regulator notification
• extend the deadline from 72 to 96 hours

Caine questions whether reducing low risk reporting could hide patterns of poor practice and the group debate what this means for real world compliance.

3. Reforms to Cookie Rules

The Digital Omnibus seeks to simplify cookie requirements by reducing reliance on consent for low risk purposes such as security and aggregated analytics. The team draw comparisons with the UK DUA Act and consider how consent fatigue has shaped this direction.

Insights from Guest Contributor David Appleyard

David shares two important observations:

1. SAR Purpose Tests

Under the new proposals, organisations may reject or charge for a SAR if the purpose is not to access personal data, for example in an employment dispute. This could be a significant change for many organisations that currently process large volumes of tactical or grievance based SARs.

2. High Risk AI Processing

David explains that the EU is pushing back deadlines for identifying high risk AI processing due to a lack of clear guidance, with expectations now set for no later than December 2027.

CNIL Research on Selling Personal Data

Caine introduces a study from the CNIL which found that 65 percent of surveyed French citizens would sell their personal data for between 1 and 100 euros. The hosts explore:

• why people undervalue their own data
• how advertising, profiling and AI training increase the true value
• the growing need for public awareness and transparent communication

Looking Ahead

The session closes with a reminder that the next podcast will explore data retention, followed by an update that the team are working on the new in house DPP studio.

About the Data Protection Made Easy Community

Our podcast community is one of the most active privacy networks in the UK with more than 150 regular live attendees and over 1,600 subscribers across all audio platforms. Joining the community gives you access to:

• free weekly live sessions with the chance to ask questions
• practical guidance from experienced consultants
• early access to slides and resources
• networking with other privacy and security professionals
• invites to in person events, workshops and sector focused discussions
• exclusive content only available to our community members

Attending live offers clear benefits. You can join the conversation, shape the discussion, raise real world challenges and take part in polls, chat and Q and A. Many listeners tell us they get far more value from attending live than listening back later.

We also have a strong line up of sessions taking us through to the end of the year, covering topics such as data retention, AI risk, international transfers, STAIRs, marketing compliance and more.

If you are not yet part of the Data Protection Made Easy community, you can join for free and get involved straight away.