GDPR Simplification: EC Floats Record-Keeping Tweaks for Small Businesses

The fourth simplification omnibus package aims to boost Europe's single market by cutting red tape for small and mid-sized enterprises (SMEs) and small mid-cap companies (SMCs). The EC defines SMCs as organizations which aren't SMEs, employ fewer than 750 people and have an annual revenue not exceeding 150 million euros ($170 million). There are around 38,000 SMCs in the EU, which will now benefit from changes to the GDPR and other regulations, it said.

The package aims to cut 400 million euros ($453 million) in annual administrative costs for companies, adding to billions already targeted in earlier simplification packages, the EC said. The proposal simplifies the GDPR record-keeping obligation, and considers the needs and challenges of SMEs and SMCs while ensuring that people's rights are protected, it said.

The concept of exempting more companies from GDPR recordkeeping requirements won preliminary approval from the European Data Protection Board and European Data Protection Supervisor earlier this month based on their understanding that the upper threshold of employee numbers would be 500 (see 2505090003).

Under the proposal, the EC said, SMEs and SMCs with fewer than 750 employees will have to maintain records only when their processing of personal data is "high risk" under the GDPR. Easing these requirements will allow organizations to devote more resources to areas where data protection is most critical, while maintaining high standards of protection, it said.

The EC's move appears to have arisen from its July 2024 assessment of the GDPR, Brussels data protection attorney Tanguy Van Overstraeten emailed. That assessment concluded with a comprehensive list of actions focusing on cooperation, enforcement and consistency, but "there was no appetite to revisit the text of the GDPR itself."

Instead, the EC proposed a draft enforcement regulation to supplement, but not modify, the GDPR, which is being finalized, Van Overstraeten said (see Ref:2504170002]). The situation changed when the new EC, which took office late last year, identified the need for simplification of EU rules, he noted.

In raising the threshold of the number of employees, the EC is "certainly carefully assessing the risk of opening a Pandora's box, as everyone remembers the adoption process of the GDPR was a lengthy and sinuous one," said Van Overstraeten. What's now required is "more consolidation and guidance on how the new legislation that forms the EU Digital Package should fit with each other," said the attorney. For instance, he said, there are several rules on notification of data breaches that should be streamlined, and it's important to understand how the EU AI Act and GDPR will work together.

There are challenges in simplifying record-keeping obligations, such as how to square them with accountability requirements and the data-processing realities of supply-chains and business models centered on data, regardless of an organization's size, emailed IAPP Managing Director, Europe Isabelle Roccia. Another challenge will be the indirect impact on organizations that increasingly leverage their privacy tools and programs to comply with digital rules that intersect with the GDPR, she said.

The "minor change" in easing GDPR requirements for small and mid-sized companies "may offer limited relief" but falls far short of addressing "deeper structural issues that plague the EU's data protection framework," said Claudia Canelles Quaroni, Computer and Communications Industry Association Europe privacy and safety lead. At best, the "cosmetic fix" will lift GDPR burdens for just 0.2% of EU companies, she said, adding that instead, businesses need consistent, harmonized implementation of the regulation.

Making rules simpler can benefit consumers and companies, but simplification shouldn't equate to watering down standards, said European Consumer Organisation Director General Agustin Reyna. Opening the GDPR could, he said, put consumer rights at risk and cause companies to raise prices as they comply with new rules.