European Commission introduces GDPR reform proposal

On Wednesday, 22 May 2025, the European Commission introduced a proposal to reform certain requirements of the EU General Data Protection Regulation (GDPR) as part of an Omnibus IV Simplification Package that aims to cut red tape, reduce costs, and modernise EU rules in order to increase the competitiveness of European businesses.

The proposal is for a regulation concerning the extension of specific mitigating measures available to small and medium-sized enterprises (SMEs) and small mid-cap enterprises (SMCs), along with other measures.

Article 30 of the GDPR requires controllers and processors to maintain a record of data processing activities (RoPA), including details about what information such records should contain. However, paragraph 5 of Article 30 currently provides an exemption for organisations with fewer than 250 employees, whereby such organisations do not have to maintain these records. 

Under this new proposal, the Commission aims to "simplify and clarify" this exemption in two ways, which, in effect, replaces mandatory record-keeping with a risk assessment requirement. 

As such, the proposal will increase the scope of the exemption to cover organisations with fewer than 750 employees and make record-keeping mandatory only when the processing activities are likely to result in a "high risk" to data subjects' rights and freedoms.

In addition, the proposal would also amend provisions around codes of conduct under Article 40 and certification schemes under Article 42 to account for the needs of SMCs alongside SMEs. 

In a blog article responding to the proposal, a group of 107 civil society organisations, academics, companies, trade unions, and experts led by European Digital Rights (EDRi) has sent an open letter calling for the Commission to "reject any reopening" of the GDPR, and to "reaffirm it as a cornerstone of the EU's digital rulebook." 

The letter highlights that the GDPR serves as the "backbone of the EU's digital rulebook," representing a significant legislative achievement that establishes robust standards and protects individual dignity in an increasingly data-driven world. Furthermore, the signatories argue that the influence of the GDPR reaches far beyond the EU to shape digital governance on a global scale.

While supporting the idea of GDPR simplification in theory, the signatories are concerned that the "proposed changes risk, unsupported by any evidence, missing the mark of genuine simplification, and could instead roll back key accountability safeguards and with them, the accountability principle itself."