EU data watchdogs, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), have jointly expressed preliminary support for a proposed simplification of the General Data Protection Regulation (GDPR) record-keeping obligations, while urging the European Commission to assess the impact of the changes on data protection and small businesses.
In a letter sent to Commissioner Michael McGrath on May 8, the EDPB and EDPS responded to the Commission’s plan to amend Article 30(5) of the GDPR. The proposal, part of the upcoming Fourth Omnibus package, aims to extend the existing exemption for small enterprises from maintaining records of processing activities to include “small mid-cap companies” (SMCs)—defined as those with fewer than 500 employees—as well as qualifying non-profits.
The Commission also intends to narrow the exemption by requiring companies to maintain records if their data processing is “likely to result in a high risk” to individuals’ rights and freedoms, replacing the current threshold of “likely to result in a risk.”
While welcoming the move toward simplification, the EDPB and EDPS emphasized the need for a balanced and risk-based approach. They called on the Commission to conduct a detailed impact analysis, including how many organizations would benefit from the proposed changes and whether the draft maintains adequate protections for individuals.
“Even very small companies can engage in high-risk processing,” the regulators cautioned, noting that non-occasional and sensitive data processing can still trigger high-risk scenarios requiring oversight.
The regulators also acknowledged that the exemption will no longer apply to processing of sensitive data for employment or social protection purposes—a clarification expected in the proposal’s recitals.
Although this is only a preliminary assessment, the EDPB and EDPS confirmed they will provide further input during the formal consultation process following the draft legislation’s publication.
The simplification initiative reflects broader EU efforts to reduce administrative burdens on SMEs while maintaining robust data protection standards.
Need Help?
If you have questions or concerns about any EU or GDPR guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
