The European Union is set to implement significant changes to the General Data Protection Regulation (GDPR) as part of its ongoing effort to reduce regulatory burdens on businesses while maintaining robust data protection standards. These proposed amendments, part of the Commission’s fourth Omnibus package, represent the most substantial review of GDPR since its implementation in 2018.
The centerpiece of the proposed reforms involves expanding exemptions from record-keeping obligations under Article 30 of the GDPR. Currently, organizations with fewer than 250 employees are exempt from maintaining detailed records of their data processing activities. This is unless specific high-risk conditions apply.
The new proposal would raise this threshold to 750 employees and simplify the exemption criteria significantly, by introducing a new business category: “small mid-cap enterprises” (SMCs), defined as companies with fewer than 750 employees and either up to €150 million in turnover or up to €129 million in total assets. Nearly 38,000 companies across the EU would benefit from these simplified obligations, with the European Commission estimating annual savings of approximately €400 million from GDPR-related changes alone.
Under the revised framework, companies would only be required to maintain processing records when their activities involve “high risk” processing (use of AI, profiling, genetic data, etc.), rather than the current broader standard of “risk” to data subjects’ rights and freedoms. This change aims to eliminate situations where SMEs must maintain extensive documentation for routine, low-risk data processing activities. The proposed package also includes simplifying the notification process for appointing a Data Protection Officer (DPO) via a standardized EU-level system, along with fully digitizing forms used with supervisory authorities. These changes aim to support a more streamlined regulatory framework and improve coordination and efficiency in GDPR enforcement across the EU.
The reform is driven in part by growing concerns about Europe’s competitiveness in the global tech landscape, particularly in artificial intelligence. Rapid AI developments have exposed gaps in the current GDPR, especially regarding automated decision-making and profiling. The proposed updates aim to clarify transparency requirements in algorithmic processing and strengthen safeguards for international data transfers involving AI systems.
The proposal also incorporates suggestions from Mario Draghi’s key report on European competitiveness, which highlighted that complex EU laws, including GDPR, hinder innovation and growth.
The business community broadly supports the proposals, viewing them as a much-needed reduction in administrative burdens, particularly for smaller businesses that face a steep “compliance cliff” once they surpass 250 employees. However, some concerns remain.
Privacy advocates are concerned that the reforms may weaken privacy protections in the name of economic competitiveness. Critics fear a two-tiered system may emerge, where data subjects’ rights vary based on the size of the company handling their data.
On the other hand, The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have expressed preliminary support for these targeted simplification measures, emphasizing that the changes would not affect other GDPR obligations.
As the consultation process unfolds, stakeholders will need to carefully balance economic competitiveness concerns against fundamental privacy rights. The outcome of this balance will likely influence not only European data protection law but also global privacy regulation standards, given the GDPR’s role as a model for jurisdictions worldwide and its extraterritorial application. The amendments represent both an opportunity to modernize data protection law for the digital age and a test of whether regulatory frameworks can evolve without compromising their core protective purposes.
Author: Uroš Rajić
