Less Red Tape? EU Proposes GDPR Exemptions for SMEs

The European Commission has proposed a series of changes that could significantly ease GDPR compliance for small and mid-sized companies. Among the most impactful is a plan to exempt companies with fewer than 750 employees (classified as Small Mid-Caps (SMCs)) from GDPR record-keeping obligations, unless their data processing activities are considered “high risk.”

The Proposal

Currently, only companies with fewer than 250 employees benefit from exemptions under Article 30 of the GDPR, which waives the need to maintain detailed records of data processing, except in cases involving higher-risk data use. The Commission’s new Proposal, part of its broader Omnibus IV Simplification Package, looks to extend similar relief to SMCs, defined by a staff ceiling of 750 employees, turnover below €150 million, and assets under €129 million.

This is part of a broader strategy to cut administrative costs by €400 million annually across the EU. Nearly 38,000 companies stand to benefit, gaining relief from obligations often triggered the moment a business graduates from SME to large enterprise status.

Is This Really “Less Red Tape”?

On the surface, the proposal sounds like a win for growing businesses, removing bureaucratic hurdles that can slow expansion. However, the exemption only applies to companies that don’t engage in “high-risk” data processing, an inherently subjective and often complex assessment. Activities involving special categories of data, large-scale monitoring, or sensitive personal information still trigger full compliance obligations. In practice, many companies, even those under the new SMC threshold, will still need to maintain detailed records to evaluate their risk exposure.

However, simplification does not equate to total exemption. Tasks like mapping data flows or conducting Data Protection Impact Assessments (DPIAs) remain essential, not just for compliance but for determining whether the simplified rules apply at all.

Opportunities for Growth and Innovation

The proposed changes could still bring substantial benefits. By lowering the compliance cliff that comes with surpassing the 250-employee threshold, companies may be more willing to expand without fear of overwhelming administrative burdens. Freeing up internal resources that would otherwise be tied up in data governance could encourage innovation and investment in more strategic areas.

Importantly, the proposal also requires that the unique needs of SMCs be considered in drafting future data protection codes of conduct and certification mechanisms. This opens the door to more tailored, proportional regulation, better aligned with the capabilities and realities of smaller enterprises.

Risks of Simplified Data Protection Rules for Growing Businesses

The Proposal isn’t without its risks. Introducing a new category of company (SMCs) adds another layer. Definitions across EU legislation differ, and aligning them may prove challenging. For example, thresholds for the EU’s cybersecurity directive (NIS2) differ markedly from those now proposed under GDPR, potentially confusing businesses about their obligations across different regulatory regimes. Here are some broader risks involved with a simplification of rules for smaller enterprises:

1. Weakened Data Protection Standards

Reducing requirements such as record-keeping can unintentionally lower the quality of data governance. These records are fundamental to demonstrating GDPR compliance and maintaining oversight of how personal data is used. Without them, businesses may lose visibility into their data practices, be slower to identify breaches, and struggle to show regulators or consumers that they’re managing personal information responsibly.

2. Misjudging “High Risk” Processing

The proposed exemption only applies to companies that don’t engage in data processing likely to result in “high risk” to individuals’ rights. However, this is a difficult threshold to assess. Without formal tools like Data Protection Impact Assessments (DPIAs) or clear documentation, businesses may wrongly assume their activities are low-risk. This could lead to undetected compliance gaps, increased legal exposure, and a greater risk of enforcement action if something goes wrong.

3. Regulatory Inconsistency Across the EU

Although the European Commission is aiming for a harmonised digital regulatory framework, the reality is that enforcement varies across Member States. If supervisory authorities interpret the new exemptions differently, growing businesses operating across borders may face confusing or conflicting obligations. This undermines the GDPR’s goal of legal certainty and uniform application throughout the EU.

4. Competitive Disadvantage for Startups and SMEs

The new “SMC” classification introduces a middle ground between SMEs and large enterprises, but it could unintentionally disadvantage smaller companies. If mid-sized firms benefit from relaxed compliance rules while micro-businesses still shoulder full GDPR obligations, this creates an uneven playing field. It also risks concentrating competitive advantage in the hands of slightly larger firms that are more politically visible or better resourced.

5. A Threat to Public Trust

Today’s consumers are increasingly concerned with how their personal data is handled. If companies rely on simplified GDPR rules to cut corners, they risk eroding customer trust. Being seen as less transparent or less diligent in protecting personal data can damage brand reputation and weaken customer loyalty, especially in data-sensitive sectors like health, finance, or technology.

6. Higher Risk of Future Enforcement

Avoiding compliance tasks like record-keeping or DPIAs might save time now, but it can set a business up for costly consequences later. As a company scales or its data processing becomes more complex, failing to invest in proper documentation could make it harder to respond to regulatory scrutiny or to shift gears quickly when new obligations arise. In effect, the short-term relief from bureaucracy might turn into long-term legal or financial risk.

The Proposal will now enter the EU’s legislative process and is subject to amendment by both the European Parliament and the Council. While some expected more sweeping reforms, including standardised record templates or simplified legitimate interest assessments, the current package is a cautious step rather than a radical overhaul.

As the EU pushes toward its 2029 goal of slashing administrative burdens by 25% (and by 35% for SMEs), this GDPR reform could be an early indicator of things to come, offering both opportunities and challenges for the businesses navigating the evolving regulatory terrain.

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.