Proposal by the European Commission to amend the GDPR: a critical review and practical suggestions

The European Commission has recently published a proposal for a regulation that aims to simplify certain obligations affecting micro, small and medium-sized enterprises. The measures addressed in this document include a proposal to amend the General Data Protection Regulation (GDPR). The spirit underlying this proposal is, principally, to simplify compliance with some of the obligations of the GDPR, supposedly with the aim of helping small and medium-sized companies to adhere to the Regulation by reducing the bureaucratic burden, in order to save costs and increase business efficiency.

Although the aim and intention are commendable, the content of the proposals could miss the mark since they focus on certain aspects that are worlds away from the problem faced by SMES in adhering to the GDPR.

In this article we give specific examples and propose certain changes that could prove useful to improve the situation of compliance and adapt it to the reality faced by small and medium-sized businesses.

1. Obligation to keep a Record of Processing Activities and the exceptions

The main measure of the Commission’s proposal refers to the obligation in article 30 of the GDPR to keep a Record of Processing Activities (RoPA). Specifically, the proposal seeks to extend the threshold of exceptions that are applicable to this obligation, so that a greater number of businesses can decide not to keep a record.

The current wording of article 30, paragraph 5, of the GDPR contains the following exceptions:

The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organization employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offenses referred to in Article 10.

The text is clearly binding on all businesses with over 250 employees and also those with fewer numbers in any of the following three circumstances: (i) if the processing involves a risk, (ii) that is not occasional or (iii) that includes special categories of data or regarding criminal convictions.

The current text of article 30.5 is to be replaced with the following:

“The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organization employing fewer than 750 persons unless the processing it carries out is likely to result in a high risk to the rights and freedoms of data subjects, within the meaning of Article 35”.

As can be seen, in addition to the increase in the employee threshold, two of the three instances in which small companies must also keep a RoPA are also eliminated, namely that the processing is not occasional or that it includes special categories of personal data.

A reflection on this proposed amendment raises the following questions: does not having a RoPA, actually relieve the bureaucratic burden? Does it make it easier for small companies to comply? Will it improve the level of compliance?

2. Comments on the proposed amendment

In our opinion, the proposed change poses doubts for two reasons: firstly because it does not bear in mind the origins of the current article 30.5 and the reasons why a numerical criterion was included in the text. Secondly, because it does not take into account the essence of what the RoPA means in a program of compliance with the GDPR and is misleading for obliged entities as to the most essential aim of the GDPR.

• Increase in the number of employees
  
  Regarding the first reason, we need to take a look at how the GDPR evolved over the four years that the legislation process lasted at the EU institutions until it was finally approved and published in the Official Journal of the European Union (OJEU) as as compulsory legislation.
  
  In this regard, it should be borne in mind that in some of its initial versions, the draft GDPR contained several cases in which certain obligations were linked to different types of numerical criteria (for example, in the initial version of the proposed GDPR, the obligation to designate a Data Protection Officer (DPO) or representative at the EU was linked to the organization employing over 250 persons; subsequent versions linked it to the existence of processing that affected over 5,000 data subjects; these objective barriers were finally dropped). Against this background of objectively establishing obligations, article 30 introduced the obligation for businesses with over 250 persons to keep a RoPA. In this case, as opposed to others in which the numerical references were eliminated, the figure was maintained.
  
  During the passage of the GDPR through the European institutions, it swung between a legal approach based mainly on the Napoleonic Code system, of an administrative nature (continental European law) and the Common Law approach, with an element of “accountability”).

  “Accountability” is a legal concept that does not have a direct translation into Spanish. The Spanish version of the GDPR translates it as “responsabilidad proactiva”, whereas the AI Act translates it as “rendición de cuentas”. The full content of “accountability” includes: (i) the obligation to fulfill a specific obligation, (ii) to be able to demonstrate compliance at all times, and (iii) accountability or responsibility in the event of non-compliance with either of these two obligations.
  
  The final result was a hybrid regulation that includes articles that represent both legal systems. For example, articles 13 and 14 (obligation to provide information), article 28 (content of the processor agreement) and article 30 (RoPA) provide a clear representation of heavily administration-oriented tradition, whereas articles 5.2 (accountability principle), article 25 (privacy by design and by default) or article 32 (security of processing) are clear examples of Common Law.
  
  The final review and the consensus that needed to be reached to be able to publish a regulation that was accepted by all, was not an easy task. The political agreement reached clearly involved removing the objective references to compliance and replacing them with a more flexible approach, in line with the case in hand, applying risk analysis criteria. The references indicated were eliminated (number of employees or processing for DPO, number of employees or data subjects affected for a representative in the EU, etc..) and replaced with specific obligations or uncertain legal concepts, because it was considered that adherence to the provision should not be established in terms of thresholds, but rather that the most important criterion was the risk for the rights and freedoms of the data subjects whose data were being processed. The risk of processing for persons obviously doesn’t depend either on the number of employees at the organization processing the data, or on any other objective criterion. The data processing carried out by a company with 1,000 employees can involve less risk than the processing carried out by a company with 25 employees.
  
  In this final task of eliminating numerical thresholds, the threshold in article 30.5 of the GDPR cannot be classed as a last-minute oversight, because the advisability of keeping a RoPA has nothing to do with the number of persons employed by the organization. In any event, even if that wording was not an oversight, the text itself does not include sufficient “exceptions to the exception” which, in practice, means that the RoPA is an obligation in the vast majority of cases, bearing in in mind the extent to which technology is used nowadays.
  
  Therefore, the increase in the number of employees needed to keep a RoPA is hard to understand.

• Doubts regarding the greater flexibility in general
  
  The second observation regarding the approach of the proposed modification with regard to the obligation to keep a RoPA, hinges on the essence of what a RoPA actually is and its place in the scheme of adherence to the GDPR.  We should not lose sight of the fact that proposal has emerged seven years after the compulsory application of the Regulation, when we now have sufficient experience and practical and legal criteria to understand what a RoPA actually is, its importance and what it means.
  
  As we have seen, in addition to the numerical criterion regarding the employees, the proposal eliminates the obligation to keep a RoPA where the processing entails a risk to the rights and freedoms of the data subjects (it is replaced with “a high risk”), where the processing is not occasional and where special categories of data are processed.
  
  It should be borne in mind in this regard that the RoPA can be classed as the backbone of a program of compliance with the GDPR. This is because, more than simply a formal obligation to draft a document, a RoPA constitutes a detailed inventory of the data processing carried out by the data controller. This is, in turn, essential in order to comply with many of the other obligations of the GDPR. The most immediate is the obligation to provide information (article13), which requires the data controller to provide the data subject with all the important information affecting the processing. These points are listed in detail in the RoPA and for this reason, drafting a privacy policy without a RoPA becomes an unwieldy and abstract task. A RoPA is equally important in relation to the verification of data storage obligations, security measures, international transfers, the control and monitoring of data processors and data disclosures. This is all reflected in the RoPA and serves as a guide to adhere to the GDPR.
  
  Anyone who has rigorously prepared a GDPR compliance project knows that without the RoPA, the task is much more complicated. This is why it is surprising that increasing the number of cases in which it is not necessary to have a RoPA is considered a “measure to bring in flexibility”. The consequences, far from bringing in flexibility and reducing red tape, can only be a deterioration in the extent to which SMEs comply with the GDPR and greater difficulty in achieving a good program of coherent and orderly compliance. Companies that qualify for these exceptions could be lulled into a false sense of security as to their compliance and will find it more difficult to adhere fully to the GDPR. It could also increase the number of companies that are falling into the hands (ever more often) of unscrupulous advisors who sell photocopied paper without valid content (since a RoPA is not needed, it is easier for a program devoid of content to be overlooked by someone without knowledge of the subject).

3. Proposals to improve the GDPR

Consequently, the GDPR does not need to be made more flexible as far as the RoPA is concerned. We will now look at which measures could actually prove useful to help SMEs comply with the Regulation and, in short, better protect the rights and freedoms of the data subjects (which is what really matters).

From the experience gained in the nine years that have passed since the publication and entry into force of the GDPR in 2016 and the 7 years of mandatory compliance since May 25 2018, there are several improvements that could be made, even without the need to change a single comma of the GDPR. Some examples:

• To promote, more efficiently, the publication of codes of conduct or certification schemes. The proposed amendment of the GDPR propounded by the Commission, also includes, as second and third measures, the inclusion of a specific reference to mid-cap enterprises in addition to the SMEs that already existed in the articles setting out the possibility of approving codes of conduct and certification schemes. However, what is actually needed, is for their creation to be actively encouraged, for example by publishing content templates for codes of conduct that industry associations can use as a reference.
• To develop documentation that enables compliance with data transfer impact assessments (DTIA). At present, it is extremely frustrating to see how countless companies are forced to repeat the same analysis carried out hundreds of times before by other companies. It means they have to spend a small fortune to obtain a report that could well have been prepared by one of the competent public authorities. For example, although a DTIA requires various inputs - some specific to the case in question - the truth is that many others refer to the analysis of the legal system and the application of the law in the country receiving the data. Making each company that is going to perform an international transfer to a particular country based on standard contractual clauses (the vast majority) commission a legal report on that country, is an unfair and disproportionate bureaucratic and economic burden. Indeed, this burden could be eliminated entirely by means of a single report prepared by a national or European institution in each country. Needless to say, eliminating the RoPA will not reduce this real and everyday problem.
• To simplify the interpretation of the Regulation through the implementation of effective and useful consultation channels by the supervisory authorities. To focus supervision on a constructive discussion process between the authority and the controller so that progress can be made in compliance beyond penalty proceedings. In addition, to make sure that companies are not afraid to approach the authorities and make them feel confident that they are going to receive assistance and not silence or evasive answers.
• To support and help companies that suffer cyberattacks improve their situation as regards information security. In most cases, if not all, despite having invested in cybersecurity, businesses are helpless in the event of a cyberattack and to make matters worse, this also involves a penalty from the supervisory authorities. The penalty system should be the “last resort” in the application of the GDPR, reserved for those clear cases of willful or recalcitrant breach and not for those cases in which businesses suffer unwanted situations even though they have tried to comply.

In closing, the amendments made to the GDPR, which seek to make it more flexible and improve efficiency at companies without weakening the protection of personal data, should be welcomed and encouraged. However, it might perhaps be easier to reflect on how to achieve these same objectives without changing the Regulation (which was so difficult to approve and is so resolute), addressing the practical problems in its application and facilitating its real and effective compliance by the entities that are subject to it.