• Ensure consistent interpretation and enforcement of the GDPR through strengthened coordination under the European Data Protection Board (EDPB). Harmonised EDPB guidance, which is evidence-based and proportionate, should prevail over national interpretations, supported by regular reviews. This approach would reduce compliance costs and provide greater predictability for cross-border firms.
• Streamline the adoption of sectoral codes of conduct and certification mechanisms, particularly for small- and medium-sized enterprises (SMEs) and small mid-caps (SMCs). A simplified certification mechanism for businesses carrying out low-risk data processing could enable them to demonstrate GDPR compliance seamlessly as a form of "innovation safe harbour". Such a scheme could incentivise upstream controllers to rely on certified processors for accountability, thereby reducing the need for extensive due diligence and contractual safeguards in low-risk contexts. This may help alleviate disincentives for firms when engaging SME and SMC processors.

These measures may help avoid the need to reopen the GDPR for major amendments, limiting regulatory uncertainty and cost.

• Promote proportionate, risk-based approaches within the existing regulatory framework, allowing supervisory authorities to tailor requirements to the level of risk posed by specific processing activities.
• Regulatory sandboxes should play a constructive role in supporting AI development, training and other data-intensive use cases. These sandboxes enable data controllers to test privacy-preserving techniques under regulatory supervision, helping to reconcile innovation with compliance obligations.
• Provide targeted guidance and support for SMEs and SMCs, ensuring they can navigate complex compliance requirements without a disproportionate burden and continue to innovate responsibly.

• Clarify and rationalise the scope of data subject rights by establishing explicit criteria and safeguards for managing repetitive or unfounded requests. Clear exemptions would prevent abuse, free up resources and enable controllers to focus on legitimate data subject demands.
• Develop standardised assessment tools and guidance for controllers to ensure consistent application across sectors and jurisdictions. Streamlined procedures, such as aggregating similar requests or applying reasonable response timeframes, would enhance efficiency while maintaining the integrity of fundamental rights.

• Simplify overlapping frameworks by harmonising Data Protection Impact Assessment (DPIA) criteria and aligning the GDPR with the e-Privacy regime. Replace fragmented national lists of high-risk processing activities with a single EU-wide list maintained by the EDPB, ensuring consistency for controllers engaged in cross-border operations.
• Aligning the GDPR and e-Privacy frameworks would reduce consent fatigue caused by repetitive consent banners and foster innovation. Allowing alternative lawful bases for non-intrusive processing, such as fraud detection or audience measurement, would protect users, support responsible data use and create a level playing field across the EU data value chain.

Such measures, the paper concludes, would preserve the GDPR's normative foundations while enhancing its economic coherence and adaptability in an evolving data economy.