Youtube icon Spotify icon Facebook icon Instagram icon LinkedIn icon
Logo gray

Simplifying the GDPR for small and medium-sized businesses

The European Commission is working on changes to the General Data Protection Regulation (GDPR) to make life easier for small and medium-sized businesses (SMEs), as per its proposal published in May 2025. These proposed changes aim to reduce red tape while still keeping personal data safe.

One major part of the proposal is updating Article 30 of the GDPR, which currently requires most businesses to keep detailed records of how they handle personal data. At the moment, companies with fewer than 250 employees are exempt from this requirement (as long as they’re not doing high-risk data processing). The new proposal would raise that threshold to 750 employees, meaning more companies would be exempt, but only if their data handling does not pose a high risk to people's rights or privacy.

The Commission also wants to create a new legal category called "Small and Medium-sized Companies" (SMCs). These are businesses with fewer than 750 employees and revenues below a certain limit, even if they don’t officially qualify as SMEs under older EU rules. These SMCs would get easier access to simplified rules and support tools, like:

  • Industry-specific codes of conduct,
  • Certification programs, and
  • Standard templates and best-practice guides from the EU.

While these efforts have been welcomed by EU data protection authorities, including the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), they have also expressed some concerns. In particular, they worry that there has not been a proper impact assessment of the changes; it is not clear what “high risk” really means in this context, and raising the employee threshold could weaken existing data protections if not done carefully.

Still, both institutions agree that smart, targeted changes, if done right, could help businesses follow the rules more easily without compromising people’s data rights. As these proposed changes to the GDPR are still in the early stages, small and medium-sized companies should stay informed and follow developments closely, especially if they stand to benefit from the proposed simplifications once they become effective law.