Go to DBLP homepageSimple Now, Complex Later: The Questionable Efficacy of Diluting GDPR Article 30(5)
Abstract: In mid-2025, the EU Commission proposed an amendment to the GDPR that extends the derogation to not maintain a record of processing activities under Article 30(5) to small and mid-cap organisations in addition to SMEs, with the intended goal of reducing reporting obligations and based on the Draghi report’s recommendations for improving competitiveness. In this article, I systematically show how this exemption does not provide any practical benefits as the information involved must still be collected to assess whether the exemption applies and to be maintained elsewhere to fulfil other GDPR obligations. I also highlight how Article 30 records are a key requirement for oversight and accountability, and that their absence will negatively affect the organisation’s data governance and compliance practices, thereby increasing risks and liability. I conclude with alternatives to mere ‘simplification’ based on responding to actual needs of organisations, taking advantage of RegTech/eGov technologies with known success stories, and to avoid diluting the GDPR as it risks damaging the future of EU’s digital policies. While the utility of this work is focused on short-term regulatory activities, the arguments and potential solutions proposed here are informative for future rule-making efforts in the EU.
External IDs:dblp:conf/apf/Pandit25
Loading