Where to next for the EU GDPR? Proposed (very limited) amendments in sight

It seems like only yesterday that we were putting our best laid EU General Data Protection Regulation (GDPR) plans into action – so many contract reviews and updates, gearing up for high volumes of data subject access requests, and in Australia, trying to work out whether certain processing activities would be captured or not. Now we are over seven years in, and the GDPR has certainly become the global cornerstone of data protection law. Though this does not come without its qualms. A consistent concern has been the administrative burden and associated costs of compliance.

On 21 May 2025, the European Commission published its Fourth Omnibus Package which set out its proposed amendments to the GDPR. This comes on the back of the recent joint letter to the European Commission which was adopted by the European Data Protection Board (EDPB) and the European Data Protection Supervisor, expressing preliminary support for the Proposal to simplify record-keeping obligations under the GDPR.

Targeted support for small mid-cap enterprises

Under Article 30 of the GDPR, controllers and processors of personal data are required to maintain records of processing activities. There is currently an exemption for small and medium-sized enterprises (SMEs) – organisations employing fewer than 250 persons – unless their processing is likely to result in a "risk" to the rights and freedoms of data subjects, the processing is occasional, or the processing includes special categories of data or personal data relating to criminal convictions and certain offences.

The European Commission has proposed extending this exemption to small mid-cap enterprises (SMCs). The European Commission's accompanying recommendation articulates that "although mid-caps are stronger, usually grow faster, are more innovative and deal better with digitalisation than SMEs, they face certain similar challenges such as administrative burden or the lack of skilled employees".

The Proposal sees SMCs as organisations that have outgrown being SMEs. The Proposal defines SMCs as organisations with fewer than 750 employees, a total balance sheet not exceeding EUR129 million and an annual net turnover not exceeding EUR150 million. This adds another definition to the EU data regulatory landscape – for instance, the Data Act which becomes applicable in September defines a SME as an enterprise which employs fewer than 250 persons and which has an annual turnover not exceeding EUR50 million, and "small enterprise" as an enterprise which employees fewer than 50 persons and which has an annual turnover and/or annual balance sheet not exceeding EUR10 million. Also, to be considered in scope for the Network and Information Security 2 Directive, an entity must meet or exceed the ceilings for "medium-sized enterprises" which is defined as enterprises which employ fewer than 250 persons and which have an annual turnover not exceeding EUR50m and/or an annual balance sheet total not exceeding EUR43 million.

Further, the Proposal specifies that SMCs will need to comply with Article 30 if the SMC's processing is likely to result in a "high risk" (a step up from the existing reference to "risk') to the rights and freedoms of data subjects.

To demonstrate further support for SMCs, the Proposal also includes a requirement that the specific needs of SMCs must be taken into account when the Member States, supervisory authorities, the EDPB and the European Commission draft codes of conduct and when certification bodies or competent supervisory authorities establish data protection certification mechanisms and data protection seals and marks.

Does the Proposal go far enough to improve the GDPR?

While some SMCs will be celebrating, for many this is a bit of a letdown. There had been a palpable sense of anticipation as to what proposals might emerge to simplify the GDPR. The Proposal is more limited and targeted than many had thought would be the case. The Proposal does not alleviate other significant administrative burdens, including carrying out Data Protection Impact Assessments – for instance, these will still need to be undertaken by the SMCs to work out whether their processing is likely to result in a "high risk" to the rights and freedoms of data subjects.

We will keep you posted on where the Proposal ultimately lands

The Proposal will now make its way through the EU's legislative processes, and it could be amended by the European Council or the European Parliament. We will update you on subsequent developments.