Earlier this year, the European Commission proposed a GDPR simplification package as part of the broader Omnibus IV initiative, designed to ease the compliance burden for so-called small mid-cap companies.
Under the current rules, companies with fewer than 250 employees may be exempt from maintaining detailed records of data processing activities—but only if their processing is occasional, involves no special categories of data and is unlikely to pose any risk to individuals’ rights. In practice, this exemption is rarely usable.
Director of Governance, Risk, and Compliance at Vanta.
The new proposal would expand the exemption to companies with up to 750 employees and simultaneously relax the risk threshold—applying it only to companies engaged in “high-risk” data processing. Estimates state this change would mean 38,000 small mid-caps in the EU face simplified GDPR obligations.
As EU policymakers consider easing GDPR compliance for smaller businesses, the details of the proposed simplification deserve closer scrutiny. Using employee headcount as the criterion for exemption or simplification is fundamentally flawed and risks undermining the vital protections GDPR provides in the digital age.
Not only that, but narrowing the risk threshold from ‘any risk’ to ‘high risk’ means companies can handle moderately risky data and still be exempt.
Assessing the current compliance burden
Before we even consider weakening GDPR, it’s worth reflecting on its value. First introduced over 7 years ago, GDPR continues to serve as the vital global standard for privacy protection, which is especially critical to keep intact with the growing adoption and risk of AI.
The regulation has proven effective in safeguarding privacy rights worldwide and in helping avert major cybercrime losses (up to €1.4 billion, according to CNIL).
The intentions of a proposed simplification are positive. For many small and medium-sized enterprises, navigating complex regulatory requirements can feel overwhelming, especially without dedicated compliance teams or resources.
In fact, research reveals that 11 working weeks a year are spent on compliance tasks, increasing by a week year-on-year. This echoes findings from PwC’s Global Compliance Study that an alarming 85% of organizations say compliance requirements have become more complex over the past three years.
Simplifying obligations might therefore seem like an effective way to foster innovation and reduce administrative burdens, but any changes to GDPR must balance the needs of businesses with the imperative to protect individual privacy.
Tying compliance requirements to headcount fails to achieve that balance, and also fails to reflect real-world privacy risks.
Smarter metrics for smarter policy
Put simply, employee count provides minimal indication of the actual risk posed by a company’s data processing activities. Businesses could easily manipulate their headcount by relying on external contractors, thus evading GDPR scrutiny.
Moreover, in today’s digital economy, small teams can operate global platforms that process vast amounts of sensitive information. The growing impact of AI across industries—helping smaller teams do more and go further—renders headcount as an even more outdated metric.
Assuming a smaller payroll means lower privacy risk ignores how many modern businesses function, and how they are likely to function in the future.
To create a more proportionate and effective compliance framework, policymakers must look beyond just headcount. While the proposal rightly excludes companies engaged in high-risk processing from simplified obligations, many real-world risks fall between “low” and “high” and so there is a need for more nuanced and effective metrics.
For example, the volume of data processed or company revenue. Factors such as these better capture actual privacy risk and should play a more central role in determining when simplification is appropriate—without creating problematic loopholes.
Privacy is a shared responsibility
Privacy regulations certainly shouldn’t punish innovation, but neither should they grant blanket exemptions that jeopardize individuals’ rights. Ultimately, proposals to weaken GDPR’s bandwidth risk eroding privacy protections at a time when they are needed most.
Rapidly evolving AI technologies have the potential to further endanger privacy protections and so we must think hard about any changes that will weaken such defenses. This includes reevaluating not just who qualifies for exemptions based on size, but how we define and assess risk in the first place.
As data becomes more vulnerable, protecting privacy is increasingly a shared responsibility. The focus should remain on strengthening protections and providing intelligent, proportionate support for businesses of all sizes. The future of privacy depends on it.
We list the best online cybersecurity courses.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
