The European Commission (EU Commission) has published a proposal for a GDPR record-keeping exemption for SMEs and small mid-cap companies (SMCs) as part of its Omnibus IV Simplification Package. If adopted, this amendment to Article 30(5) of the GDPR could bring long-awaited relief to smaller organisations by lifting one of the more resource-intensive compliance burdens: the obligation to maintain detailed records of processing activities (ROPAs).

For many SMEs and mid-sized companies, especially those operating in lean or cross-border environments, this proposal could shift how they structure their GDPR compliance programmes. But it’s not a free pass; understanding whether your organisation qualifies for this exemption and what counts as “high-risk” processing will be key.  In this article, we unpack what the proposed change means, who may benefit, and what SMEs and SMCs should start doing now to prepare.

What is the Omnibus IV Simplification Package?

The Omnibus IV Simplification Package is part of the EU Commission’s broader strategy to boost long-term competitiveness and reduce red tape for smaller organisations. It introduces targeted amendments to several laws in the EU, including the GDPR. These amendments aim at to make legal obligations clearer, just and easier to follow. Specifically, the proposed changes to Article 30(5) of the GDPR would exempt SMEs and SMCs from maintaining ROPAs, provided they do not perform high-risk processing.

Additional proposed changes for SMCS

The proposal also includes updates to Articles 40 and 42 of the GDPR, extending their scope to cover SMCs. This means that when sector-specific codes of conduct (Article 40) and certification mechanisms (Article 42) are developed, the specific needs of SMCs (alongside SMEs) must now be taken into account. The definition of what an SMC would also have to be included in Article 4 of the GDPR. These changes reinforce the EU Commission’s intention to make GDPR compliance more proportionate and accessible for a broader range of growing businesses.

Current GDPR-recording requirements for SMEs and SMCs

Article 30 states that all organisations must keep detailed records of processing activities. The records must contain:

  • the name and contact details of the controller, its representative and the data protection officer;
  • the purposes of processing;
  • a description of the categories of data subjects and personal data;
  • data sharing and transfer practices; and
  • technical and organisational safeguards.

Article 30(5) currently offers a limited exemption for organisations with fewer than 250 employees, but only where processing is:

  • occasional,
  • non-sensitive, and
  • unlikely to pose a risk to the rights and freedoms of individuals.

Most SMEs regularly process personal data, especially in marketing, HR and customer services, making this exemption impractical.

A proposed risk-based threshold for record-keeping

The proposal aims to make the record-keeping exemption under Article 30(5) more practical and balanced. It replaces the strict “occasional processing” requirement with a risk-based approach. Under the proposal, organisations with fewer than 750 employees may qualify for the exemption. This applies if their processing is unlikely to create a high-risk to the rights and freedoms of individuals. This change makes it easier to comply by tying the duty to keep records ot the level of risk, not how often you process personal information.

What is considered “high-risk” processing?

Article 35 and the European Data Protection Board (EDPB) guidelines set criteria to identify “high-risk” processing, rather than providing a fixed definition. High-risk processing includes activities likely to pose significant risks to individuals’ rights and freedoms because of their nature, scope or purpose. Indicators of high-risk processing include:

  • profiling or automated decisions that legally or significantly affect individuals;
  • large-scale processing of special personal data, like health or biometric data;
  • systematic monitoring of publicly accessible areas;
  • processing affecting vulnerable people, such as children;
  • using innovative or new technology alongside other risk factors; and
  • inadequate safeguards for data privacy, purpose limitation and fairness.

Using new technology on its own does not automatically make your processing high-risk. You must assess the technology with other factors, such as the scale of processing, the type of personal information involved, and the potential impact on data subjects. If your processing activities do not meet the high-risk threshold, you may qualify for the proposed exemption from keeping a ROPA under Article 30(5). Before you begin processing, you must carry out a data processing impact assessment (DPIA) to determine whether your processing is high-risk.

What does this mean for SMEs and SMCs?

The proposed change could make it easier for SMEs and SMCs to meet GDPR requirements. But it’s important to weigh both the benefits and the limits of the exemption. If your processing is low risk, you won’t need to maintain a ROPA under Article 30. This can save time, money and effort, especially for small businesses. The exemption links compliance duties to actual risk, which makes the provisions of the GDPR more practical as your business grows. However, the exemption only applies to record-keeping under Article 30(5). You still need to comply with all the obligations set out in the GDPR, including those on transparency, data minimisation, lawful processing and security.

You should plan for change. If your business expands or starts high-risk processing, you need to restart internal record-keeping. It’s a good time to have an agile data governance structure that can scale with your needs.

Many African startups and service providers who target EU users – whether by offering goods, services or tracking behaviour – already fall under the GDPR. For them, this proposal may ease the burden. Still, it’s crucial to check whether your processing counts as “non-high-risk”, especially if you handle sensitive personal data or use analytics or AI tools.

Actions you can take