The Silent Revolution of the GDPR: Welcome to GDPR+

What if your GDPR checklist isn’t enough anymore?

Over the past few years, the General Data Protection Regulation (GDPR) has silently evolved. Not through amendments — but by being enveloped in a powerful new layer of EU digital laws. Welcome to GDPR+: a world where data protection is now embedded into AI regulation, competition law, platform governance, and more.

If you’re an SME handling data in the EU, you’re no longer dealing with just the GDPR. You’re navigating a stacked compliance ecosystem.

What Is GDPR+?

GDPR+ is the unofficial term for the new wave of EU digital legislation that builds on — and sometimes shifts — GDPR standards. Key players include:

1. AI Act (Artificial Intelligence Act)
2. DMA (Digital Markets Act)
3. DSA (Digital Services Act)
4. DGA (Data Governance Act)
5. Data Act
6. ePrivacy Regulation (upcoming)
7. European Health Data Space, and more

These laws are not standalone silos. They interact with GDPR rights, principles, and enforcement mechanisms.

✅ If your SME collects, shares, or processes data, you’re likely affected by more than one of these laws.

Key Changes in the GDPR+ Era

1. Sensitive Data Profiling Is No Longer Just About the GDPR

Under GDPR Article 9, using special categories of data requires strict safeguards. But now:

1. The AI Act bans certain types of profiling.

2. The DSA restricts microtargeting using sensitive data, especially for minors.

This means previously “lawful but high-risk” processing could now be explicitly prohibited.

2. Consent Is Evolving Into “Data Altruism”

Consent used to mean clicking “I agree.” Today:

1. Under the Data Governance Act, individuals can offer “data altruism” — voluntarily donating their data for research or public interest.

2. The DMA strengthens user rights to opt into alternatives and challenges the “take-it-or-leave-it” model from dominant platforms.

📌 If you’re relying on user consent for personalization or analytics — it’s time for a recheck.

3. The Right to Explanation Isn’t Dead After All

The AI Act revives and reinforces the often-overlooked Article 22 GDPR, which regulates automated decision-making:

1. High-risk AI systems must provide meaningful explanations.
2. CJEU case law in 2024–25 (e.g. Dun & Bradstreet Austria) supports a de facto right to explanation for individuals.

📢 If your platform uses algorithms to score users, predict outcomes, or rank content — transparency is no longer optional.

4. Risk Assessments Are Multiplying

In the GDPR world, we had DPIAs. Now, GDPR+ adds:

• FRIAs (Fundamental Rights Impact Assessments) — under the AI Act

• Systemic Risk Assessments — under the DSA

• Due diligence obligations — in sustainability and human rights laws

🧠 Small teams now face a new challenge: how to consolidate overlapping assessments across laws.

Visual Wake-Up Call: 116 EU Digital Laws

Overview of EU Digital Laws

As of June 2024, there were:

• 87 adopted digital laws

• 21 under discussion

• 8 more coming soon

These cover everything from cybersecurity and industrial policy to platform regulation, finance, and data governance. More information here.

👉 Whether you’re a 2-person SaaS team or a growing e-commerce brand, you’re likely touched by multiple digital laws.

Why This Matters for SMEs

SMEs often run lean. You don’t have a compliance department. But ignoring these overlapping laws isn’t an option anymore.

Ask yourself:

• ✅ Does your privacy policy reflect AI use?

• ✅ Do your cookies & tracking scripts comply with DSA or DMA?

• ✅ Are you using standard clauses for US tools like Google or Mailchimp?

• ✅ Do you know when to do a DPIA vs a FRIA?

If not, your compliance strategy may be outdated — even if you were “GDPR-compliant” in 2020.