EU’s Proposed GDPR Reforms: Practical Impact or Policy Signal?
The EU’s swift proposal to reform aspects of the GDPR has raised questions across the compliance landscape. Are we seeing meaningful change or merely a strategic signal? Read on for a closer examination.
Early in April 2025, rumours began to spread that the EU Commission might intend to introduce simplifications to the GDPR. On 8 May, these rumours were confirmed by the European Data Protection Board that wrote an open letter to the Commission detailing the discussions.
Then something happened that rarely happens in the halls of power of Brussels and Strasbourg when it comes to legislative affairs. A formal proposal was processed with haste and published on Wednesday, May 21st . This proposal introduces, what appears to be, significant changes to the formal requirement to maintain records of processing of personal data. The question is – what are the true consequences of the changes?
What is a ROPA?
As a rule, all organisations that process personal data are required to maintain a formal Register of Processing Activities (ROPA) documenting the processing performed. This ROPA shall be made available to the Data Protection Authorities upon request. Thus, from a governance, compliance, and risk management perspective, the ROPA forms the fundamental building block. The proposal from the Commission is a part of the so-called Omnibus package and includes changes to the rules on codes of conduct and certification.
When the final draft proposal of the GDPR was introduced in November 2015, the EU laid down the so-called SME-exemption to the formal requirement to maintain a ROPA. As the name suggests, this exemption applies to small and medium enterprises; companies with less than 250 employees. However, this exemption does not apply if the processing is more than occasional, is likely to result in a risk (even a very low bar of risk), or involves sensitive data.
Thus, even though the clear intent was to ease the administrative burden of SMEs, the original exemption was drafted in such a way that it seldom applied in practice.
What is the EU Commission proposing?
The Commission is proposing an amendment to Article 30(5) of the GDPR. The proposed amendment entails the following:
First, an extension of scope from SMEs (up to 250 employees) to SMCs (up to 750 employees).
Second, and most importantly, SMCs are formally required to maintain a ROPA if there is likely a high risk of the fundamental rights and freedoms for a processing activity; the identical requirement as when to perform a so-called Data Protection Impact Assessment (DPIA).
Third, as elaborated in a recital, the processing of sensitive data for the purpose of carrying out the obligations and exercising specific rights in the field of employment and social security, does not trigger the obligation to document such processing in a ROPA.
Thus, SMCs are only formally required to maintain a ROPA for processing likely to result in a high risk. Non-compliance with this formal requirement is sanctioned with administrative fines of up to 2 % of the total worldwide annual turnover or 10 million EUR.
What are the consequences with this proposal?
Based on our experience, we know that simplifying formal requirements to reduce administrative burden, does not always generate the desired results. The original SME exemption from 2015 is an apparent illustration of this fact.
Thus, the question arises: are we trading a simplification of a formal requirement for a larger uncertainty in the application of GDPR compliance? At the end of the day, the benefit of formal requirements – vis-à-vis general requirements – is that formal requirements are clear and precise. As the saying goes, better the devil you know.
A closer examination
- There is a risk that the Commission focuses too narrowly on the formal record keeping obligations. There is no proposed amendment to the accountability principle and the obligation to be able to demonstrate that the processing performed are compliant. Thus, even if there is no formal ROPA, all the elements of the ROPA must still be documented and made available to the data protection agencies upon request.
- One of the major challenges of the GDPR is cross-border application, i.e. the difference of interpretation and application by the Courts and Data Protection Authorities of the Member States. In this context, the ROPA has been a helpful tool since it is clear and precise in its application. The Commission’s proposal opens the door for a multitude of interpretations of how companies shall demonstrate compliance. Thus, for companies with operations on multiple markets, the compliance cost may actually increase.
- Any infringement of the formal obligation to maintain a ROPA for processing likely to result in a high risk may be sanctioned with administrative fines. Thus, SMC is still required to evaluate the risk of any planned processing of personal data. In addition, even if the processing, after the performance of a DPIA, is classified as a low or medium risk, the processing at hand is still formally required to be documented. That mouth full of a sentence is a good example of how the proposed simplification may not be as simple as suggested.
In summary, it appears as the formal requirement to maintain a ROPA will disappear for SMCs and be replaced by an indirect requirement to maintain the same information in a de facto ROPA.
What to do now?
The proposal has not enacted the proposal as of today. It is still only a proposal and not the law of the land. Thus, we do not recommend that organisations take any actions at this moment.
If anything should be done it should be to lobby for better, more effective and sustainable ways to ease the burden concerning data protection administration. We welcome simplification of the administrative burden for European companies. As we have elaborated above, the suggested changes may do the exact opposite and bring a significant risk of increased administration, uncertainty in compliance and new costs to govern and ensure accountability for data protection.
There are plenty of examples of ways to ease the burden for European companies. One such example is to limit the scope of application to structured data. The risk of processing unstructured data is generally low compared to the compliance cost as well as the commercial interest in the governance of such data. Today organisations across Europe spend lots of resources to meet unstructured data retention requirements. This is an area that would have a very direct and practical impact concerning data protection administration, with little effect on risk for the individuals’ freedoms and rights.
