Simplifying GDPR for SMEs: EDPB-EDPS Opinion

EDPB-EDPS Joint Opinion 01/2025 on the Proposal for a Regulation on simplification measures for SMEs and SMCs, in particular the record-keeping obligation under Art. 30(5) GDPR

Introduction

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have jointly issued Opinion 01/2025 on the European Commission's proposal for a regulation aimed at simplifying measures for Small and Medium-sized Enterprises (SMEs) and Small and Micro Companies (SMCs). This proposal specifically addresses the record-keeping obligations under Article 30(5) of the General Data Protection Regulation (GDPR).

Background

The GDPR, which came into effect in May 2018, introduced comprehensive data protection laws across the European Union. One of its key requirements is the obligation for data controllers and processors to maintain records of processing activities. However, this requirement has been seen as burdensome for SMEs and SMCs, which often lack the resources to comply fully with these obligations.

Key Proposals

The joint opinion highlights several key proposals aimed at easing the regulatory burden on SMEs and SMCs:

- **Simplification of Record-Keeping**: The proposal suggests a more streamlined approach to record-keeping obligations, allowing SMEs and SMCs to maintain simplified records that still ensure compliance with GDPR principles.

- **Thresholds for Obligations**: It introduces specific thresholds under which SMEs and SMCs may be exempt from certain record-keeping obligations, provided they do not engage in high-risk processing activities.

- **Guidance and Support**: The proposal emphasizes the need for clear guidance and support mechanisms to help SMEs and SMCs understand and implement their data protection obligations effectively.

Implications for Compliance Officers

Compliance officers within SMEs and SMCs will need to stay informed about these proposed changes and assess their potential impact on existing data protection practices. The simplification measures could reduce administrative burdens, but it is crucial to ensure that data protection standards are not compromised.

Conclusion

The EDPB-EDPS joint opinion on the proposed regulation represents a significant step towards balancing the need for robust data protection with the practical realities faced by SMEs and SMCs. Compliance officers should closely monitor the progress of this proposal and prepare for potential adjustments to their compliance frameworks.

Quelques pistes pour l'intégration opérationnelle dans votre dispositif :

- Évaluer les pratiques actuelles de tenue de registres pour identifier les opportunités de simplification.

- Mettre en place des formations pour sensibiliser les employés aux nouvelles exigences.

- Collaborer avec des experts en protection des données pour s'assurer que les simplifications ne compromettent pas la conformité.

- Surveiller l'évolution de la proposition et ajuster les politiques internes en conséquence.

- Utiliser des outils technologiques pour automatiser et simplifier les processus de tenue de registres.