ARTICLE
28 May 2025

Seven Years Of The GDPR- Proposed Amendments To Support SMCs

WF
William Fry

Contributor

William Fry logo
William Fry is a leading corporate law firm in Ireland, with over 350 legal and tax professionals and more than 500 staff. The firm's client-focused service combines technical excellence with commercial awareness and a practical, constructive approach to business issues. The firm advices leading domestic and international corporations, financial institutions and government organisations. It regularly acts on complex, multi-jurisdictional transactions and commercial disputes.
Explore Firm Details
On 25 May 2025, we marked the seventh anniversary of the General Data Protection Regulation (GDPR) coming into effect.
European Union Privacy
Rachel Hayes and Leo Moore
Your Author LinkedIn Connections

On 25 May 2025, we marked the seventh anniversary of the General Data Protection Regulation (GDPR) coming into effect.

Over the past seven years, the GDPR has become the cornerstone of data protection law across the EU and beyond. Now, the European Commission (Commission) is proposing targeted amendments to ease compliance and foster growth—particularly for small and mid-sized enterprises.

The Proposal

On 21 May 2025, as part of its fourth Simplification Omnibus Package and under the mandate of its 2024–2029 Political Guidelines, the Commission published a proposal to amend the GDPR (Proposal). The Proposal forms part of a broader initiative to reduce certain regulatory burdens and stimulate investment across the Single Market. It also includes amendments to five other EU regulations in pursuit of this objective.

Key Changes to the GDPR

The Proposal introduces a targeted approach to support companies in scaling strategically important sectors. In particular, it seeks to simplify Records of Processing Activities (RoPAs) obligations under Article 30(5) GDPR and extend certain compliance exemptions currently available to small and medium-sized enterprises (SMEs) to a new category: small mid-cap enterprises (SMCs).

While the Proposal does not yet define SMCs, it indicates that the definition will align with co-legislators' approach in other legislative acts, covering enterprises approximately three times the size of SMEs (i.e. 750 employees).

Proposed Changes to Article 30(5) GDPR:

Under Article 30 of the GDPR, controllers and processors of personal data are required to maintain a RoPA, with an exemption for SMEs (organisations employing fewer than 250 persons)—unless their processing is likely to result in a risk to the rights and freedoms of data subjects; the processing is not occasional; or the processing includes special categories of data or personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR. In practice, this exemption has not proved limited, supplemented by 2023 guidance from the Data Protection Commission.

The proposed amendments to Article 30(5) GDPR are as follows:

  • Expansion of the Exemption Scope: The current exemption from maintaining a RoPA applies to organisations with fewer than 250 employees (SMEs). The proposal extends this exemption to SMCs—currently defined as organisations with fewer than 750 employees.
  • Higher Risk Threshold: Currently, the exemption does not apply if the processing is "likely to result in a risk to individuals' rights and freedoms". The amendment raises this threshold to "likely to result in a high risk", thereby broadening the scope of organisations that can benefit from the exemption.
  • Removal of Certain Limitations: The proposal removes references to "occasional processing", the processing of special categories of data or personal data relating to criminal convictions and offences, as disqualifying factors for the exemption.
  • Clarification for Employment-Related Processing: A new recital clarifies that the obligation to maintain a RoPA does not apply to the processing of special category data when done to comply with legal obligations in the fields of employment, social security, or social protection law under Article 9(2)(b) GDPR.

Further Amendments to the GDPR:

The Proposal also seeks to extend benefits contained in existing provisions for SMEs to SMCs, namely:

  • Introduce a definition of SMCs in Article 4;
  • Amend Article 40 GDPR to ensure that codes of conduct reflect the specific needs of SMCs, in addition to micro, small, and medium-sized enterprises; and
  • Amend Article 42 GDPR to extend the same consideration to data protection certification mechanisms.

Regulatory Response

On 8 May 2025, the European Data Protection Board and the European Data Protection Supervisor issued a joint letter to the Commission expressing preliminary support for the Proposal. They welcomed the simplification efforts, noting that the core obligations of controllers and processors remain intact.

However, they also emphasised that the Proposal cannot remove the obligation of general compliance with the GDPR or its risk-based approach. They cautioned that even small organisations can engage in high-risk processing. The formal consultation process following the Proposal's publication will provide further opportunity for stakeholder input.

Implications for Business

The Proposal, if passed in its current form, will be a welcome amendment to the GDPR for many SMCs. For many, the reality is that complying with Article 30 GDPR is burdensome and resource-intensive, particularly for companies that are not "data" heavy. The Proposal acknowledges the critical role of SMCs in sectors such as electronics, aerospace and defence, energy, and healthcare. The amendments aim to enhance competitiveness and accelerate growth for these enterprises by reducing administrative burdens.

More broadly, the Proposal may signal the beginning of a broader reflection on the application and future consolidation of the GDPR.

Conclusion

As the GDPR enters its eighth year, the Proposal is a maturing regulatory framework that seeks to balance robust data protection with the practical realities of doing business in a digital economy. Organisations should closely monitor these developments and consider how the proposed changes affect their compliance strategies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Rachel Hayes
Rachel Hayes
Photo of Leo Moore
Leo Moore
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More