As part of a broader effort to reduce administrative burdens and boost competitiveness across the EU Single Market, the European Commission has proposed important amendments to the General Data Protection Regulation (GDPR). The changes primarily aim to ease compliance for small and medium-sized enterprises and certain larger businesses.

Currently, Article 30 of the GDPR requires data controllers and processors to maintain detailed records of all data processing activities.

An exception exists only for organizations with fewer than 250 employees - and even then, only if all of the following additional conditions are cumulatively met:

1) The processing does not pose a risk to individuals’ rights and freedoms;

2) It is occasional in nature;

3) It does not involve special categories of sensitive data.

In practice, these conditions are rarely met at the same time, meaning that even smaller companies are often required to maintain such processing records.

The new proposal introduces more flexible criteria for exemption. Specifically, the exemption would apply to small and medium-sized enterprises and to businesses with fewer than 750 employees. This would significantly increase the number of companies eligible for this option and thus - for reduced administrative obligations.

However, it is important to note that if the processing activities present a high risk to individuals’ rights and freedoms, the organization - regardless of size or employee number - would still be required to maintain full processing records for its activities.

According to preliminary estimates by the European Commission, the proposed changes, along with other EU-level measures, could save businesses around EUR 66 million annually in administrative costs. These resources could instead be redirected toward innovation, technology, and sustainable growth - while maintaining EU’s high standards of data protection.

The proposed amendments will now be reviewed carefully by the European Parliament and the Council as part of the legislative process. In the meantime, organizations that fall within the scope of the proposed relief should closely follow the developments and assess how the potential easing of requirements may affect their internal GDPR compliance frameworks.