top of page
Search

GDPR Simplification for SMEs and Mid-Caps

  • Writer: Katarzyna Celińska
    Katarzyna Celińska
  • 2 minutes ago
  • 2 min read

In response to ongoing concerns from SMEs and small mid-cap enterprises, the European Commission has introduced targeted simplification to GDPR obligations under a 2025 legislative proposal aimed at reducing administrative burdens—particularly for businesses with fewer than 750 employees.

 



Key Changes:

✅ Extended Derogation

Article 30(5) of the GDPR is now amended to exempt SMEs and SMCs with under 750 employees from maintaining records of processing activities—unless their activities are likely to result in a “high risk” to individuals’ rights and freedoms as defined in Article 35 GDPR.

✅ Risk-Based Approach Maintained

Only when processing operations are deemed high-risk will organizations still be required to keep detailed records.

✅ Clarification on Special Data Categories

The regulation explicitly notes that processing sensitive data for lawful employment or social protection purposes under Article 9(2)(b) does not automatically trigger the need to maintain processing records.

✅ Codes of Conduct and Certification

The revised Articles 40 and 42 now require that SMCs’ specific needs be considered when developing GDPR Codes of Conduct and data protection certification mechanisms—encouraging practical, sector-focused compliance strategies.

 

I don’t believe all GDPR requirements are inherently hard for SMBs. What I do support is reducing bureaucracy without weakening the framework. Compliance doesn’t mean producing tons of documentation—it means establishing internal processes that meet legal and regulatory standards. Practicality is key. Whether we’re talking about technical measures or organizational procedures, we need realistic, risk-based controls. That said, I am concerned this simplification could be misused. Many organizations, unfortunately, look for ways to avoid protecting PII instead of building responsible privacy programs. I hope these amendments won’t be interpreted as a green light to lower the bar.

 

Proposal for GDPR Simplification: Link

 

 
 
 

Comments

Stay in touch

kontakt@itgrc.pl

BW ADVISORY sp. z o.o. 

ul. Boczańska 25
03-156 Warszawa
NIP: 525-281-83-52

Privacy policy

  • LinkedIn
  • Youtube
bottom of page