Seven years with the GDPR – time for changes: less paperwork, more flexibility for SMEs
On 21 March this year, the European Commission (EC) presented a package of legislative proposals aimed at simplifying the regulatory environment and reducing bureaucratic burdens in the European single market. This initiative is intended to support the competitiveness of European businesses and offers hope that EU legislation, including the General Data Protection Regulation (GDPR), will effectively achieve its aims without imposing excessive burdens on businesses.
In response to demands from small and medium-sized enterprises (SMEs) and small- and mid-cap companies (SMCs), the Commission proposed targeted changes to the GDPR, which has remained unchanged since its introduction in 2018.
What is going to change?
New definitions in Article 4 of the GDPR
The European Commission has proposed introducing two new definitions:
- Micro, small and medium-sized enterprises (SMEs)
- Small mid-cap companies (SMCs)
Until now, only SMEs could benefit from simplifications and fewer obligations relating to the protection of personal data (e.g. reduced documentation and simplified information obligations). Following the change, SMCs (companies that are larger than typical SMEs but not yet large corporations) will also gain access to these simplifications. This change should be viewed positively as it means less bureaucracy and a more proportionate approach to data processing.
Record of processing activities
Currently, Article 30 of the GDPR states that each controller and processor must maintain a record of processing activities and defines the information that the record should contain. However, paragraph 5 of this Article provides for an exemption for SMEs and organizations with fewer than 250 employees.
The EC proposes extending the scope of this exemption to include organizations with fewer than 750 employees. The EC also proposes limiting the obligation to keep the record to situations where processing activities are likely to present a ‘high risk’ to the rights and freedoms of data subjects. In practice, this means that more companies will be eligible for an exemption from the obligation to keep a record of processing activities, provided their activities do not pose a high risk to data subjects.
Code of conduct (GDPR Art. 40) and certification (GDPR Art. 42)
According to Article 40 of the GDPR, the Member States, the supervisory authorities, the European Data Protection Board and the Commission shall encourage associations and other bodies representing specific categories of controllers or processors to draw up codes of conduct taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.
The EC proposes extending the scope of this provision to include SMCs so that their specific needs are also addressed when codes of conduct are drafted.
Article 42 of the GDPR states that the Member States, the supervisory authorities, the European Data Protection Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks and the specific needs of SMEs should be taken into account in this context.
The EC proposes extending the scope of this provision to include SMCs so that their specific needs are also addressed when certificates are issued.
Positive direction of the changes
The European Commission’s proposals seem to be heading in a desirable direction — they could make it easier to apply data protection rules without affecting the GDPR’s fundamental role as a privacy protection instrument. In our view, the changes will only ease the burden on smaller organizations slightly, as they do not reduce the obligations relating to risk analysis.
Regarding codes of conduct and certification, the amendment aims to stimulate increased interest in these mechanisms, which should be viewed positively. We believe that codes of conduct could simplify compliance with GDPR requirements in practice. Professional and sectoral organizations could play a significant part in this and could start developing relevant documents right away.
Should you be interested in a detailed analysis of the impact of the proposed changes on your business, or if you need support in adapting to the changing regulations, we will be pleased to assist you.
KONTAKT
E: magdalena.patryas@pl.Andersen.com
T: +48 32 731 68 84
M: +48 502 392 419
