Navigating the Digital Omnibus: A UK GDPR Briefing for Busy Data Teams

On 19 November 2025, the European Commission published its Digital Omnibus package. This set of proposals would update several major EU digital laws, including the GDPR, ePrivacy framework, AI Act, Data Act and Data Governance Act. The goal is to simplify compliance and support innovation while maintaining the fundamental rights and protections established in EU law.

For UK organisations with customers in the EU or who transfer EU personal data, these proposals are strategically important. Although the Omnibus is an EU initiative, it will shape expectations in the wider regulatory environment. It may also influence the UK’s own reforms, including the Data Use and Access Act 2025.

Key Elements of the Digital Omnibus

The Digital Omnibus contains two draft regulations. One amends the AI Act and the other makes cross cutting updates across digital and data laws. The proposals focus on three core areas: data protection, cybersecurity and breach reporting, and artificial intelligence.

AI Act Adjustments

The Omnibus introduces several changes intended to reduce the early compliance burden on organisations developing or deploying high risk AI systems.

• A one year extension to some high risk AI compliance deadlines.
• Expansion of SME friendly regimes to larger mid sized organisations.
• Removal of some obligations, such as AI literacy requirements, for certain providers.

For example, deadlines linked to training and validation obligations would shift to late 2027 rather than 2026. This gives businesses more time to meet new technical standards and reduces early compliance pressure for AI developers working within EU markets.

A Narrower Definition of Personal Data

One of the most significant proposals is a revised definition of personal data. Under the current GDPR, any information that could directly or indirectly identify an individual is treated as personal. This includes names, emails, IP addresses, device IDs and pseudonymous data.

The Omnibus moves to a controller centred test. Data will only be personal if the organisation processing it has the means that are reasonably likely to be used to identify a person.

In practice this means:

• Highly pseudonymised data or indirect identifiers may fall outside scope if the controller cannot realistically link them to a person.
• Direct identifiers or data that the organisation could reasonably use to single someone out will remain personal.
• Judging identifiability becomes relative to each controller’s realistic capabilities.

This approach aligns with recent case law, including SRB v Edenred. It may reduce compliance obligations for analytics and telemetry datasets, but introduces subjectivity. Organisations will need strong documentation to justify how they assess identifiability.

Special Category Data: Direct Versus Inferred

The Omnibus narrows what is considered special category data under Article 9. Only data that directly reveals sensitive characteristics, such as health, religion or political opinions, would fall under the enhanced protections.

Inferences or predictions about sensitive traits, such as deducing health conditions through profiling, would not automatically count as special category data.

The proposals also allow limited exceptions for processing special category data to train or operate AI systems and for biometric data processed on user devices under strict conditions.

Right of Access (DSAR) Reform

The Omnibus provides controllers with stronger grounds to refuse or charge for requests that are abusive or manifestly excessive. This aims to reduce the burden of DSARs used strategically in litigation or to disrupt operations.

Although “abusive” is not tightly defined, the approach mirrors changes already seen in the UK under the Data Use and Access Act. UK organisations will still need clear internal criteria to avoid rejecting legitimate requests.

Breach Reporting Thresholds and Timescales

Under the existing GDPR, controllers must report any breach that risks individuals’ rights within 72 hours. The Omnibus proposes raising this threshold so that only high risk breaches must be reported, and extends the reporting window to 96 hours.

The proposals also introduce an EU wide incident reporting portal operated by ENISA. This would consolidate reporting under GDPR, NIS2, DORA and other frameworks.

UK breach reporting rules remain unchanged. Notifications must still be made without undue delay and within 72 hours unless UK legislation is updated in future.

DPIAs, Automated Decisions and Cookies

The Omnibus includes further measures intended to simplify and standardise compliance:

• Harmonised DPIA and breach notification templates to be published by the EDPB.
• Relaxation of restrictions on automated decision making when contractually necessary.
• Broader exemptions under ePrivacy rules for analytics and security cookies.
• Requirement for browsers and operating systems to respect user privacy preference signals once standards are established.

These measures would reduce the volume of consent banners and bring greater technical consistency to DPIAs and cookie compliance. This direction is similar to recent UK guidance on consent and preference management.

Opportunities and Risks

The Omnibus aims to create clearer legal grounds for AI development and reduce administrative burden for organisations. Many businesses welcome the potential for fewer overlapping obligations and more predictable compliance requirements.

There are also trade offs:

• Narrowing the definition of personal data could create inconsistent protections across sectors.
• Higher thresholds for breach reporting may reduce visibility of lower impact incidents.
• DSAR reforms risk uncertainty without robust internal guidance.

For UK organisations, divergence between EU and UK regimes is likely to increase. This will require more precise policy alignment, updated data sharing contracts and consistent governance.

What UK GDPR Teams Should Do Now

• Review data protection policies and contracts to reflect upcoming EU changes.
• Update data maps and inventories to assess whether datasets may fall outside scope under the new definition.
• Refine DSAR triage processes to identify abusive or excessive requests.
• Monitor breach handling procedures to ensure EU and UK requirements remain aligned.
• Keep track of regulatory developments from both the EU and UK.

Looking Ahead

The Digital Omnibus is still under negotiation by the European Parliament and Council. If adopted, it will represent a substantial shift in the EU digital regulatory landscape and highlight growing divergence from UK law following the DUAA.

Whether or not the UK adopts similar measures, any organisation operating across both jurisdictions will need to adjust its practices. Preparing early will reduce risk, support innovation and maintain compliance.

The Omnibus signals a wider regulatory trend. Policymakers are recalibrating privacy and digital governance for an AI driven economy. While some protections may narrow, many proposals aim to reduce friction and bring clarity for businesses. UK organisations should begin planning now to remain compliant and competitive.

Sources

• European Commission: Digital Omnibus Press Release
• Digital Omnibus AI Regulation Proposal
• Digital Package Overview
• Case C 413 23 P: SRB v Edenred
• Skadden: First Impressions on Digital Omnibus
• Freshfields: Key Changes under the Digital Omnibus