GDPR record-keeping simplification: what difference will it really make?
Today, the European Commission presented its fourth ‘omnibus’ simplification package, aiming to reduce regulatory burdens on small and mid-sized businesses. One of the key elements is a proposal to exempt small mid-caps (SMCs), companies with fewer than 750 employees, as well as SMEs, from the GDPR’s record-keeping obligations, unless they engage in “high-risk” data processing. At FEDMA, we welcome efforts to cut red tape and boost competitiveness for smaller businesses. However, when it comes to GDPR record-keeping, the practical value of this exemption raises important questions.
Most will still need to keep records
While the measure promises to ease compliance, many businesses may not feel the intended relief. Under the European Data Protection Board (EDPB) guidelines, “high-risk” processing includes activities like large-scale data use, matching or combining datasets, all of which are common practices in today’s digital economy.
A typical SMC offering marketing autonomation services, for example, would process large volumes of customer data, and perform audience segmentation to offer targeted campaign insights. Despite falling under the size threshold, the SMC would likely be classified as engaging in high-risk processing. As such, it would still need to maintain detailed records under Article 30 of the GDPR.
This is not an isolated case. In practice, many companies targeted by the exemption will remain bound by the record-keeping requirement due to the nature of their data processing activities. The question remains: how much relief does this change really offer?
Record-keeping is not just red tape
Article 30 records are not just an administrative task. They are a foundation of accountability under the GDPR, helping organisations map their processing activities, identify risks, and demonstrate compliance. Diluting this obligation without tackling the actual complexity businesses face in applying GDPR risks missing the bigger picture.
Focus should shift to harmonising risk interpretation
If the EU wants to make a real difference for innovation and digital competitiveness, the focus should shift towards improving how the GDPR’s risk-based approach is applied in practice. Businesses continue to struggle with inconsistent interpretations of what constitutes “high-risk” processing, and with fragmented (and often restrictive) guidance from supervisory authorities. Rather than broad exemptions with limited real-world impact, targeted efforts to clarify and harmonise existing rules would offer more meaningful support for small and mid-sized organisations.
