GDPR Simplification for SMEs and SMCs: Understanding the Latest EU Proposal
Introduction
The European Commission has introduced new proposals aimed at significantly simplifying GDPR compliance for Small and Medium Enterprises (SMEs) and Small Mid-Cap enterprises (SMCs). The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) recently delivered their joint opinion supporting this initiative but highlighting areas requiring careful consideration. This article delves into the details and explains the implications for your business.
Key Changes in the GDPR Simplification Proposal
The primary focus of the proposal is easing administrative burdens for SMEs and SMCs, particularly concerning Article 30(5) of GDPR, related to record-keeping obligations. Currently, businesses employing fewer than 250 persons may already enjoy certain derogations under GDPR. The proposed change increases this threshold to businesses employing fewer than 750 people, significantly broadening the exemption’s scope. However, this exemption does not apply to businesses conducting processing activities deemed "likely to result in a high risk" to individual rights and freedoms. Therefore, even smaller enterprises will need to carefully evaluate their processing activities to confirm whether they are exempt
What Does “Likely to Result in High Risk” Mean?
The EDPB-EDPS opinion emphasizes clarity regarding what constitutes "high-risk" processing. The key reference remains Article 35 GDPR, which stipulates when Data Protection Impact Assessments (DPIAs) must be conducted. Common high-risk activities include:
Large-scale monitoring or profiling
Systematic monitoring of employees, especially involving sensitive data
Processing special categories of data under Articles 9 and 10 GDPR (health data, biometrics, criminal records, etc.)
Therefore, any enterprise, irrespective of size, engaged in such activities would still be required to maintain records of their data processing activities.
Simplification Must Not Compromise Data Protection
While welcoming these simplifications, the EDPB and EDPS strongly reiterate the importance of preserving fundamental data protection rights. Their joint opinion stresses that any relaxation in compliance obligations should not diminish the GDPR’s core principles, such as transparency, accountability, and security.
Businesses benefiting from the exemption must still adhere to all other GDPR obligations, such as ensuring lawful processing, data minimization, and prompt breach notification. Thus, adopting simplified record-keeping methods should not lead to complacency in overall compliance efforts.
Practical Steps for SMEs and SMCs
To effectively leverage the proposed simplifications, SMEs and SMCs should:
Assess Processing Activities:
Regularly review your data processing to ensure none qualify as high-risk.Maintain Documentation:
Even if exempt from formal record-keeping, businesses are encouraged to keep simplified documentation that supports GDPR compliance and accountability.Seek Expert Guidance:
Engage data protection specialists to confirm your eligibility for simplification and ensure continued compliance.Utilize EU Resources:
Leverage guidelines and resources from supervisory authorities (SAs) and the EDPB, specifically designed to assist SMEs and SMCs.
A Note on Public Authorities and Non-Profit Organizations
The proposal explicitly clarifies that these simplifications will not extend to public authorities and bodies, given their unique accountability responsibilities under GDPR. Non-profit organizations and charities, however, may qualify for simplified record-keeping, provided their processing activities do not entail high risk.
Certification and Codes of Conduct
Additionally, the proposal extends the GDPR articles concerning certification (Article 42) and codes of conduct (Article 40) explicitly to include SMCs. This means tailored compliance frameworks are expected, making it easier for these enterprises to demonstrate their adherence to GDPR.
Conclusion
The proposed GDPR simplifications represent significant regulatory support for SMEs and SMCs, aiming to strike a balance between reducing burdens and maintaining high data protection standards. Companies should proactively review their compliance practices to navigate these changes smoothly.
As GDPR evolves, staying informed remains crucial. For personalized guidance and comprehensive data protection advice tailored to your business, contact our experienced GDPR compliance attorneys today.
