EDPB 2026-2027 Work Programme: New GDPR Guidelines & Tools

What is happening?

The European Data Protection Board (EDPB) adopted its work programme for 2026 and 2027 on 12 February 2026, according to the EDPB. The programme sets out what the board plans to work on over the next two years, with a focus on making GDPR compliance easier and improving cooperation between data protection authorities across Europe.

What will the EDPB actually produce?

According to the EDPB, the board plans to develop guidelines on a range of topics that affect how businesses handle personal data. These include:

• Consent or Pay models (where websites ask users to either accept tracking or pay a fee)
• Anonymisation and pseudonymisation (how to properly strip or protect personal data)
• Children's data (rules around collecting information from younger users)
• Generative AI and data scraping (how AI tools interact with personal data)
• The relationship between the AI Act and GDPR
• Political advertising

Alongside these guidelines, the EDPB also plans to produce practical tools aimed at non-experts, including templates, checklists, FAQs and step-by-step guides. This is a notable shift toward making compliance resources more accessible to people without a legal background.

Why does this matter?

For small business owners, GDPR can feel like a maze of legal language. The EDPB's stated goal of producing plain-language tools is a practical development worth watching. If you run a website that uses cookie consent banners, collects customer data or uses any AI-powered tools, several of the planned guidelines are directly relevant to you.

The guidelines on Consent or Pay are particularly worth following. This model has become more common as businesses look for alternatives to straightforward cookie consent, and clearer rules will help you understand what is and is not acceptable. Similarly, if your website or marketing tools use any form of AI, the planned guidance on generative AI and the AI Act will be useful reading once published.

For now, it is worth making sure your existing data practices are in good shape. Our GDPR compliance checklist and privacy policy requirements guide are good starting points.

What does this mean for your website?

The EDPB's 2026 and 2027 work programme signals that clearer, more practical guidance is on the way for topics like cookie consent models, AI tools and children's data. While none of these guidelines are published yet, keeping an eye on EDPB updates will help you stay ahead of any new expectations. In the meantime, reviewing your current privacy setup against existing rules is the most useful step you can take today.