Earlier this year, the European Commission proposed a GDPR Simplification Package as part of the Wider Omnibus IV initiative, designed to alleviate the compliance load for calls small companies of medium capitalization.
According to current rules, companies with less than 250 employees may be exempt from maintaining detailed records of data processing activities, but only if their processing is occasional, does not imply special categories of data and it is unlikely to represent any risk to the rights of people. In practice, this exemption can rarely be used.
Government, Risk and Compliance Director in Vanta.
The new proposal would expand the exemption to companies with up to 750 employees and simultaneously relax the risk threshold, applying it only to companies that participate in “high -risk” data processing. Estimates indicate that this change would mean 38,000 small average layers in the EU faces simplified GDPR obligations.
As EU's political leaders consider facilitating compliance with the GDPR for smaller companies, the details of the proposed simplification deserve a closer scrutiny. The use of employee personnel as a criterion for exemption or simplification is fundamentally defective and runs the risk of undermining the vital protections that the GDPR provides in the digital age.
Not only that, but it reduces the risk threshold of 'any risk' at 'high risk' means that companies can handle moderately risky and still exempt data.
Evaluate the current compliance load
Before considering weakening the GDPR, it is worth reflecting on its value. Entted for the first time more than 7 years ago, GDPR continues to serve as the vital global standard for privacy protection, which is especially critical to remain intact with the growing adoption and risk of AI.
Regulation has proven effective to safeguard privacy rights worldwide and to help avoid the main losses of cyber crimes (up to 1.4 billion euros, according to CNIL).
The intentions of a proposed simplification are positive. For many small and medium enterprises, navigating complex regulatory requirements can feel overwhelming, especially without dedicated equipment or compliance resources.
In fact, the investigation reveals that 11 weeks of work are dedicated per year in compliance tasks, increasing in a week after year. This echoes the findings of the PWC global compliance study that an alarming 85% of organizations say that compliance requirements have become more complex in the last three years.
Therefore, simplifying obligations may seem an effective way to promote innovation and reduce administrative burdens, but any change in GDPR must balance the needs of companies with the imperative of protecting individual privacy.
Eliminating compliance requirements to personnel does not achieve that balance, and it does not reflect the privacy risks of the real world.
Smarter metrics for a smarter policy
In a nutshell, the employee count provides a minimum real risk indication proposed by the company's data processing activities. Companies could easily manipulate their staff by trusting external contractors, thus evading the scrutiny of GDPR.
In addition, in the current digital economy, small teams can operate global platforms that process large amounts of confidential information. The growing impact of AI in all industries, that smaller teams do more and go further, the registrars of those that become an even more outdated metric.
Assuming a smaller payroll means a lower privacy risk, how many modern companies work and how they are likely to work in the future.
To create a more proportionate and effective framework, policy formulators must look beyond only staff. Although the proposal correctly excludes companies that participate in high -risk processing of simplified obligations, many risks of the real world fall between “low” and “high”, so there is the need for more nuanced and effective metrics.
For example, the volume of processed data or the company's income. Factors such as these best capture real privacy risk and should play a more central role in determining when simplification is appropriate, without creating problematic gaps.
Privacy is a shared responsibility
Privacy regulations should certainly not punish innovation, but they should not grant general exemptions that endanger the rights of people. Ultimately, the proposals to weaken the GDPR bandwidth run the risk of eroding privacy protections at a time when more needed.
The rapid evolution technologies have the potential to even endanger privacy protections and, therefore, we must think a lot about any change that weakens such defenses. This includes reassessing not only who qualifies for size -based exemptions, but how we define and evaluate the risk in the first place.
As the data becomes more vulnerable, protecting privacy is increasingly a shared responsibility. The approach must be maintained in strengthening protections and providing intelligent and proportionate support for companies of all sizes. The future of privacy depends on it.
We list the best cybersecurity courses online.
This article was produced as part of the Techradarpro Insights Expert Channel, where we present the best and most brilliant minds in the technology industry today. The opinions expressed here are those of the author and are not necessarily those of Techradarpro or Future PLC. If you are interested in contributing, get more information here:
