Privacy
Proposed GDPR Reforms Spark Debate Over Compliance Burdens
Why GDPR Reform Conversations Are Important
The European Commission's proposed reforms to the General Data Protection Regulation (GDPR) aim to alleviate compliance burdens for small and mid-sized enterprises. However, these changes have prompted concerns from data protection authorities about potential risks to data subjects' rights. Understanding these proposals is crucial for organizations to anticipate and adapt to potential shifts in data protection obligations.
Overview of Proposed GDPR Reforms
In May 2025, the European Commission introduced proposals to amend the GDPR, focusing on simplifying compliance requirements for small and mid-cap enterprises. Key among these is the adjustment of the exemption criteria for maintaining records of processing activities under Article 30. Currently, organizations with fewer than 250 employees are exempt unless their processing activities pose certain risks. The proposed change would extend this exemption to organizations with fewer than 750 employees, with mandatory record-keeping only when processing activities are likely to result in a "high risk" to data subjects or involve special category data.
The reform package also includes proposed updates to Article 40 and 42, which govern codes of conduct and certification mechanisms. These tools—originally intended to support accountability and provide sector-specific guidance—have seen limited uptake across the EU since the GDPR took effect. The European Commission is seeking to streamline approval processes, enhance cross-border recognition, and encourage more robust supervisory oversight of these mechanisms. The goal is to make them more accessible and useful, especially for smaller organizations, and to facilitate harmonized application of GDPR principles across member states and industry sectors.
Key Points about GDPR Reforms
Expansion of Record-Keeping Exemptions
The proposed increase in the employee threshold from 250 to 750 would significantly expand the number of companies eligible for record-keeping exemptions under Article 30. While this change is intended to ease regulatory burdens for SMEs and mid-sized companies, privacy professionals should note that headcount alone won’t determine compliance obligations—context and processing risk still matter. The EDPB has signaled caution, emphasizing that data protection obligations should be based on processing impact, not just organizational size.
Clarification on High-Risk Processing Criteria
The reforms reaffirm that mandatory documentation still applies when an organization engages in high-risk processing, such as activities likely to affect individuals’ rights and freedoms or involving special category data. Notably, the proposal clarifies that certain uses of sensitive data—such as for employment or social security purposes—will not automatically trigger record-keeping. This nuance could offer relief for HR and payroll departments but also introduces interpretive ambiguity that may require updated DPIAs and legal review to assess exposure.
Institutional Pushback from EU Regulators
In a joint opinion, the EDPB and EDPS have expressed concern that the reforms may unintentionally weaken the GDPR’s accountability framework. They note that even small businesses can engage in invasive or high-risk data practices—such as biometric processing or geolocation tracking—and record-keeping is essential to ensuring data subjects' rights are respected. Their response hints at a potential tug-of-war between EU institutions over how to balance regulatory flexibility with robust data governance.
Practical Implications of GDPR Reform
Organizations should closely monitor these proposed changes to assess how they may impact their compliance obligations. While the reforms aim to reduce burdens, it's essential to evaluate whether processing activities could still be considered high-risk, necessitating continued adherence to record-keeping requirements. Engaging with legal counsel and data protection officers to review processing activities and risk assessments will be vital in preparing for potential regulatory adjustments.
Organizations with fewer than 750 employees should consider the following actions:
Assess “high risk” data processing activities
While the current requirement to maintain a Record of Processing Activities (“RoPA”) may be triggered where processing is “likely to result in a risk,” the proposed changes for organizations with fewer than 750 employees would reset the bar to processing activities that are “likely to result in a high risk.”
Organizations with fewer than 750 employees to assess high risk data processing activities, including but not limited to large-scale data processing, profiling, automated decision making, combining datasets for the purpose of behavioural advertising, and processing sensitive personal data.
Maintain a lightweight RoPA, even if exempt
While your organization may be exempt from the requirement to maintain a RoPA, maintaining a lightweight RoPA can be beneficial nevertheless. A RoPA is a practical tool for mapping data flows, identifying risks, and demonstrating accountability during audits or internal reviews.
Monitor evolving guidance
Proposed changes to Article 30 of the GDPR have yet to pass or take effect. Organizations to have a system in place for monitoring evolving guidance from national data protection authorities, the European Data Protection Board, and industry best practices to track and comply with obligations.
Use legislative reform as an opportunity
Legislative reform presents an opportunity for organizations to (i) reassess and update data inventories, (ii) refresh data protection impact assessments, and streamline processes for handling data subjects’ rights requests.
Data Privacy Tip
Understanding the data your organization holds—and where you keep it, how it’s processed, why it was collected, and what retention obligations are associated with it—is the foundation of compliance with GDPR or any of the myriad other privacy regulations in effect today. Check out our blog post to learn how automated data mapping technology can help.