In May 2025, the European Commission published a proposal that has sparked considerable debate within the data protection community. As part of its Fourth Omnibus Simplification Package, the Commission is proposing targeted amendments to Article 30 of the GDPR, aimed at reducing administrative burdens for smaller organisations. But does this simplification strike the right balance between practical compliance and robust data protection?
What’s Being Proposed?
The proposal seeks to reform the existing Article 30(5) exemption from record-keeping obligations. Currently, organisations with fewer than 250 employees don’t need to document processing that is occasional, but must still maintain Records of Processing Activities (RoPA) for regular processing, special category data, or criminal conviction data. In practice, this means most small organisations still need to maintain fairly comprehensive RoPAs.
Under the new proposal, this exemption would be significantly expanded to include:
- Small mid-cap enterprises (SMCs) with fewer than 750 employees
- Organisations meeting similar size thresholds (up to €150 million turnover or €129 million balance sheet)
Crucially, the proposal changes the exemption criteria. Rather than the current multi-part test (occasional processing, no special categories, etc.), the new exemption would not apply to processing activities “likely to result in a high risk to the rights and freedoms of individuals” – the same threshold used for Data Protection Impact Assessments (DPIAs) under Article 35.
The proposal also clarifies that processing special category data for employment, social security, or social protection purposes under Article 9(2)(b) would not automatically trigger record-keeping obligations.
The Business Case: Potential Benefits
The European Commission estimates this change could save businesses across the EU approximately €400 million in compliance costs. The rationale is straightforward:
Reduced Administrative Burden: Small and medium-sized businesses often lack dedicated compliance resources. Removing blanket record-keeping requirements allows them to focus efforts where risks are genuinely elevated.
Resource Reallocation: Rather than maintaining detailed documentation for low-risk processing, businesses can invest time and resources in core operations and growth.
Enhanced Competitiveness: By easing regulatory burdens, European SMEs and SMCs may be better positioned to compete globally, particularly against businesses in jurisdictions with lighter regulatory frameworks.
Practical Compliance: The current Article 30(5) exemption hasn’t worked as intended in practice. The “occasional processing” exception is difficult to apply, and most small organisations end up maintaining RoPAs anyway because their processing is regular, involves special categories, or relates to criminal convictions. This proposal attempts to create a more meaningful and workable exemption.
The Data Protection Perspective: Legitimate Concerns
Despite receiving preliminary support from both the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), the proposal raises important concerns:
Risk-Based Approach Challenges: While the “high risk” threshold seems sensible, it places the burden on smaller organisations to correctly assess whether their processing meets this standard. Without proper records, how can they demonstrate they’ve made this assessment appropriately?
Transition Difficulties: What happens when an organisation grows beyond 750 employees or begins high-risk processing? Suddenly implementing comprehensive record-keeping can be complex and resource-intensive.
Accountability Questions: Records of processing activities aren’t just bureaucracy – they’re fundamental to demonstrating GDPR compliance. They support transparency obligations, facilitate data subject rights, and enable meaningful oversight by supervisory authorities.
Potential Weakening of Protections: There’s a legitimate concern that this signals a dilution of the GDPR’s core principles. If record-keeping is seen as “red tape” rather than a fundamental accountability measure, what message does this send about the value placed on personal data protection?
Limited Real-World Impact: Legal experts suggest that many organisations falling within the size definition will still need to maintain records due to the nature of their processing activities. The real administrative work – mapping processing activities, conducting DPIAs, and performing legitimate interest assessments – remains unchanged.
The UK Perspective
For UK-based organisations, this proposal won’t directly impact domestic compliance obligations under UK GDPR. However, any UK business processing data of EU residents would need to consider these changes in their EU GDPR compliance strategy.
Interestingly, this move may influence future UK data protection reform discussions, particularly as the government continues its own efforts to reduce regulatory burdens while maintaining adequacy with the EU.
What Happens Next?
The proposal now enters the EU’s legislative process, where it may be amended by the European Parliament and Council. The EDPB and EDPS have requested clarifications on several points, including:
- Why the threshold was set at 750 employees rather than the initially considered 500
- How to ensure the exemption properly benefits the intended SMEs and SMCs
- Confirmation that “organisations” excludes public authorities
A Balanced View
This isn’t a simple case of “simplification good, regulation bad” or vice versa. The proposal reflects a genuine tension in data protection law: how do we maintain robust protections for individuals whilst acknowledging that compliance costs can be disproportionate for smaller organisations with limited resources and lower-risk processing?
The key question is whether the “high risk” threshold provides sufficient protection. If smaller organisations can genuinely identify when their processing is routine and low-risk, this exemption makes practical sense. However, if organisations struggle to make this assessment – or worse, incorrectly deem high-risk processing as low-risk – the consequences for data subjects could be significant.
What This Means for DPOs and Businesses
For those of us advising smaller organisations, the practical implications are clear:
- Don’t assume automatic exemption: The high-risk threshold means many organisations will still need to maintain records
- Document your risk assessment: Even if exempt, organisations should document their reasoning for why they believe the exemption applies
- Plan for growth: Build systems that can scale when you exceed size thresholds or begin higher-risk processing
- Remember other obligations remain: Transparency, subject rights, security measures, and other GDPR requirements are unchanged
The proposal is still progressing through the legislative process, but it signals a willingness to refine the GDPR’s practical application without compromising its fundamental principles. Whether it achieves that balance remains to be seen.
Your Thoughts?
As someone working with multiple organisations on their GDPR compliance, I’m keen to hear from others in the data protection community. Do you think this proposal strikes the right balance? Will it genuinely reduce burdens for smaller organisations, or will the “high risk” exception mean little changes in practice?
The proposal is expected to undergo further amendments as it progresses through the EU legislative process throughout 2025 and beyond.
