Simplifying the General Data Protection Regulation (GDPR) for Small and Medium-sized Enterprises: Impacts and Challenges

“Portrait of Madame X - graph animation of knowledge graph” — Source: Wikimedia Commons. License: CC BY-SA 4.0.

Earlier this year, the European Commission proposed a comprehensive simplification package for the General Data Protection Regulation (GDPR) as part of the broader Omnibus IV initiative. This initiative is designed to ease the regulatory compliance burden on Small and Medium-sized Enterprises (SMEs). Under current rules, companies with fewer than 250 employees may be exempt from keeping detailed records of data processing activities, but this exemption is conditional on the processing being occasional, not involving special categories of sensitive data, and unlikely to pose any risks to individuals' rights. In practice, this current exemption is rarely utilized.

The new proposal suggests expanding the exemption to include companies with up to 750 employees, while simultaneously easing the risk threshold, so it would only apply to companies engaged in "high-risk" data processing. Estimates suggest that this change could mean approximately 38,000 SMEs in the EU would face simplified GDPR obligations.

Challenges and Concerns Regarding the Proposed Simplification

While EU policymakers consider easing GDPR compliance requirements for small businesses, the details of the proposed simplification warrant deeper scrutiny. The use of employee count as a criterion for exemption or simplification is a fundamentally flawed approach and risks undermining the vital protections provided by the GDPR in the digital age. Not only this, but narrowing the risk threshold from "any risks" to "high risks" means that companies might handle medium-risk data and still remain exempt.

The Intrinsic Value of the General Data Protection Regulation (GDPR)

Before even considering weakening the General Data Protection Regulation, it is worth reflecting on its intrinsic value. First introduced more than 7 years ago, the regulation continues to serve as a vital global benchmark for privacy protection, which is crucial to maintain with the increasing adoption and risks of Artificial Intelligence. The regulation has proven effective in safeguarding privacy rights worldwide and in helping to avoid major cybercrime losses (up to 1.4 billion Euros, according to a CNIL report).

The Rationale for Simplification and its Potential Risks

“2020-02 Smithsonian sample image - Knowledge Graph - 2021 Q1” — Source: Wikimedia Commons. License: CC0.

The intentions behind the proposed simplification are positive and justified. For many Small and Medium-sized Enterprises, navigating complex regulatory requirements can be overwhelming, especially in the absence of dedicated compliance teams or resources. Indeed, research reveals that approximately 11 working weeks annually are spent on regulatory compliance tasks, an increase of one week per year, reflecting the escalating complexity in this area. This echoes the findings of PwC’s Global Compliance Study, which indicates that 85% of organizations perceive compliance requirements to have become more complex over the past three years. Therefore, simplifying obligations might seem an effective way to foster innovation and reduce administrative burdens, but any changes to the General Data Protection Regulation must carefully balance business needs with the necessity of protecting individual privacy.

Why is Employee Count a Flawed Criterion for Risk Assessment?

Tying compliance requirements to employee count fails to achieve this desired balance, and also fails to accurately reflect real-world privacy risks. Simply put, employee count provides little indication of the actual risks a company’s data processing activities might pose. Companies can easily manipulate their employee numbers by relying on external contractors or outsourcing, thereby evading GDPR scrutiny. Furthermore, in today’s digital economy, small teams can operate global platforms that process vast amounts of sensitive information. The growing impact of AI across industries, helping smaller teams achieve more and go further, makes employee count an outdated and inaccurate metric. The assumption that smaller payrolls mean fewer privacy risks ignores how many modern businesses operate, and how they are likely to operate in the near future.

Towards a More Effective and Proportional Compliance Framework

To create a more proportional and effective compliance framework, policymakers must look beyond mere employee numbers. While the proposal rightly excludes companies engaged in high-risk processing from simplified obligations, many real-world risks fall between "low" and "high" levels, thus more accurate and effective metrics are needed for comprehensive risk assessment. For example, factors such as the volume of data processed or company revenue could be considered. Factors like these better capture actual privacy risks and should play a more central role in determining when simplification is appropriate, without creating problematic loopholes that could endanger data.

Conclusion: The Future of Privacy and Shared Responsibility

Certainly, privacy regulations should not penalize innovation, but neither should they grant blanket exemptions that jeopardize individual rights. Ultimately, proposals to weaken the scope of the General Data Protection Regulation threaten to erode privacy protection at a time when it is most needed. Rapidly evolving AI technologies have the potential to further compromise privacy protection, and therefore, we must carefully consider any changes that would weaken these defenses. This includes reassessing not only who qualifies for exemptions based on size, but also how risks are primarily identified and evaluated. As data becomes more vulnerable, privacy protection is an increasingly shared responsibility. The focus must remain on strengthening protections and providing smart, proportionate support for businesses of all sizes. The future of privacy depends on it.