In May 2025 the European Commission proposed[1] targeted changes to the GDPR to cut paperwork for smaller organisations without touching the regulation’s core protections. The headline move: simplify Article 30 records by pushing the exemption threshold up to fewer than 750 employees and tying the duty to keep records to processing that is likely to result in a high risk. Roughly 38,000 “small mid-cap” (SMC) companies would newly benefit, alongside ~26 million SMEs that already sit under lighter-touch provisions; the Commission pegs annual GDPR admin savings at about €66 million (within a wider simplification package worth ~€400 million per year). Because ~99% of EU companies employ fewer than 750 people, most would fall under the lighter record-keeping regime unless they carry out high-risk processing.
What is changing
The proposal writes SMCs into the GDPR’s definitions, i.e. companies bigger than SMEs but still below 750 employees (and within set financial caps: turnover ≤ €150m or balance sheet ≤ €129m). It then retools Article 30(5) so that enterprises and organisations under the 750-employee line do not need a formal Record of Processing Activities unless a specific processing operation is likely to result in a high risk to individuals’ rights and freedoms (the same risk threshold that triggers a DPIA under Article 35). Two current trip-wires disappear: it will no longer be the case that non-occasional processing, or processing of special-category or criminal-offence data, automatically forces you to keep a record; those factors still matter, but only insofar as they make a processing operation likely high-risk. A recital also clarifies that handling special-category data to meet employment and social-security duties does not, by itself, require a record unless the risk level is high.
Beyond records, the draft updates Articles 40 and 42 so that codes of conduct and certification mechanisms are developed with the needs of SMCs in mind, not only SMEs.
(What does not change: all substantive GDPR duties: lawful basis, transparency, security, DPIAs for high-risk processing, data-subject rights, DPO triggers – all stay the same as they are)
Why these changes
Brussels is trying to remove the “compliance cliff” that hits companies the moment they outgrow SME status. The idea is to keep accountability tools where they add most value (i. e. high-risk processing) and to stop smaller and mid-sized firms from spending disproportionate time on documentation for routine, low-risk data use. It’s also a competitiveness play: less red tape should make it easier for ambitious mid-caps to scale, invest and adopt new tech, while preserving the GDPR’s risk-based spine.
EDPB and EDPS’s joint opinion
The EDPB and EDPS issued a joint opinion[2] that is supportive in principle but asks legislators to tighten the draft: explain why 750 is the right threshold (an earlier float was 500), tie the exemption explicitly to the SME/SMC definitions (so giant firms with <750 staff but huge turnover don’t slip in, for example with financial caps), exclude public authorities from the derogation, and state clearly that only processing that is likely high-risk must be recorded (to avoid “one high-risk activity means records for everything”).
Business vs. privacy perspectives
Businesses, especially SMEs and mid-caps, largely see a sensible reset: less time shepherding RoPAs for mundane processing, more time on product, security and service. Many mid-sized manufacturers, healthcare suppliers and B2B tech firms expect tangible savings and faster execution. That said, some industry voices call the move too modest, noting it newly helps a relatively narrow band (the 250–749 cohort) and doesn’t solve deeper pain points like uneven enforcement and national divergences.
Privacy and consumer advocates worry that moving most companies out of mandatory record-keeping risks hollowing out accountability. Records are often how organisations (and regulators) learn what data flows actually exist. If you remove that map, they argue, you invite blind spots in risk assessment, incident handling and rights responses. They also warn about the precedent of re-opening GDPR: start with paperwork today, erode substance tomorrow. Both sides, however, converge on one point: high-risk processing must remain fully documented.
What it means in practice
If your organisation has fewer than 750 employees, the duty to keep a RoPA becomes conditional on the risk profile of each processing activity. Day to day this means you’ll need a clear, repeatable way to judge “likely high-risk”, using familiar DPIA criteria (scale, sensitivity, vulnerable data subjects, systematic monitoring, new tech), national DPIA blacklists/whitelists where available, and sector guidance. When the answer is yes, you both do a DPIA and maintain records for that processing. When the answer is no, you can skip the formal record; many organisations will still keep a lean processing inventory because it makes everything else easier: privacy notices, DSARs, vendor oversight, security design, breach triage, audits, and because large customers may contractually require it from processors regardless of the legal exemption.
If proposed changes will be adopted, there would likely to be (at least) two risks to manage. First, misclassification: if you call a high-risk activity low-risk and skip RoPAs/DPIA, you multiply exposure if something goes wrong. Build in a second pair of eyes (DPO, counsel, external advisor) for close calls. Second, drift: an initially low-risk process can become high-risk as volumes, purposes or data types change; schedule periodic reviews and make product/IT change management flag privacy impacts early.
If you’re 750+ employees, nothing really changes operationally: keep enterprise-wide RoPAs and carry on.
Conclusion
This draft doesn’t rewrite the GDPR; it right-sizes its paperwork. By reserving formal records for high-risk processing and recognising SMCs, the EU is nudging smaller and mid-sized firms toward risk-first governance: less box-ticking, more attention where harm is likeliest. The smart move for businesses is to tune their risk triage, keep lean, living maps of key processing, and watch for the final text, especially the clarifications the data-protection bodies have asked lawmakers to add (e.g. what consitutes as high-risk processing).
This post was drafted with the assistance of AI and has been reviewed and approved by a qualified lawyer. It is provided for general information only and does not constitute legal advice.
[1] Source: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52025PC0501R%2801%29 (Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulations (EU) 2016/679, (EU) 2016/1036, (EU) 2016/1037, (EU) 2017/1129, (EU) 2023/1542 and (EU) 2024/573 as regards the extension of certain mitigating measures available for small and medium sized enterprises to small mid-cap enterprises and further simplification measures)
[2] Source: https://www.edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-012025-proposal_en (EDPB-EDPS Joint Opinion 01/2025 on the Proposal for a Regulation on simplification measures for SMEs and SMCs, in particular the record-keeping obligation under Art. 30(5) GDPR)
