Share This Article
The European Commission has just unveiled a draft regulation that proposedย important reform to the General Data Protection Regulation (GDPR), as part of a broader initiative to reduce administrative burdens and promote competitiveness across the EU.ย
This move, aligned with the SME Relief Package and Mario Draghiโs recommendations on European competitiveness, primarily aims to ease obligations for businesses transitioning from SMEs to so-called small mid-cap enterprises (SMCs).ย
Here are the key highlights of the proposed changes to the GDPR:ย
๐ New Definitions Introduced โ Article 4
Two new business categories are formally defined within the GDPR:
- Micro, Small, and Medium-sized Enterprises (SMEs) โ following the standard EU definition.
- Small Mid-Cap Enterprises (SMCs) โ newly introduced, defined as enterprises employing fewer than 750 people and meeting financial thresholds under a forthcoming Commission Recommendation.ย
๐๏ธ Exemption from Record-Keeping Obligations โ Article 30(5)
The current GDPR exempts organisations with fewer than 250 employees from maintaining a record of processing activities, unless specific high-risk processing occurs.
The proposed change raises this threshold to 750 employees and simplifies the rule:
The exemption applies unless the processing is likely to result in a high risk to the rights and freedoms of data subjects under Article 35 GDPR.
This means many mid-sized companies could soon be freed from a key compliance burden, unless they carry out high-risk data activities.ย
CRITICALITIES: The potential criticality is that EU data protection supervisory authorities might argue that the absence of the record of data processing might per se imply a lack of control on processed data and therefore a lack of adequate security measures. This approach would vanish the purpose of the reform.
๐ Inclusion of SMCs in Codes of Conduct โ Article 40(1)
The proposal adds SMCs to the list of entities whose needs must be taken into account when drafting Codes of Conduct under GDPR. These voluntary frameworks help ensure sector-specific compliance and data protection best practices.ย
CRITICALITIES: Codes of conduct have not been successful in the EU so far since they are not binding for entities and are not fully taken into account by regulators. It is uncertain as to whether this change will turn into an actual benefit.
โ Certification Schemes Extended โ Article 42(1)
Similarly, when promoting certification mechanisms and data protection seals, authorities must now also consider the needs of SMCs alongside SMEs. This could make it easier for SMCs to demonstrate GDPR compliance in a scalable, less costly way.ย
CRITICALITIES: The same comment relating to codes of conduct applies to certification schemes that have never proliferated in the EU to show data protection compliance.
๐ฏ Implications and Next Steps
This reform:ย
- reflects the EUโs shift toward proportionality and smarter regulation;
- aims to reduce compliance costs for companies in the 250โ749 employee range and
- addresses the โcliff effectโ many SMEs face when they grow and suddenly become subject to the same regulatory expectations as large enterprises.
However, the proposal must still go through the legislative process and is subject to change. Companies in the tech, healthcare, energy, and manufacturing sectorsโwhere SMCs are prevalentโshould begin assessing how the reforms could impact their compliance strategies.ย
Conclusion
Despite of the criticalities indicated above, the proposed GDPR reform is a welcome simplification for growing businesses. By redefining thresholds and extending key exemptions, the EU takes a step toward a more balanced data protection framework that supports innovation while maintaining high standards of privacy. If the proposed reform of the GDPR is passed, it will be crucial that EU data protection authorities adopt a consistent approach in its implementation.ย
What do you think on the above? On a similar topic, you ca read the article โEDPB and EDPSโ preliminary feedback on proposed GDPR record of data processing simplificationโ.