Simple now, Complex later: The Questionable Efficacy of Diluting GDPR Article 30(5)

The EU Commission recently introduced an amendment to the GDPR that extends the derogation to not maintain a record of processing activities under Article 30(5) to small and mid-cap organisations in addition to SMEs, with the intended goal of reducing reporting obligations and based on the Draghi report's recommendations for improving competitiveness. In this article, I systematically show how this exemption will effectively not provide any practical benefits as the information involved must still be collected to assess whether the exemption applies, and will be maintained elsewhere as it is required to fulfil other obligations. I also highlight how Article 30 records are a key requirement for oversight and accountability, and their absence negatively affects the organisation's data governance and compliance practices and makes it more likely to introduce risks and liability. I conclude with other avenues the Commission should consider based on responding to actual needs of organisations, taking advantage of RegTech/eGov technologies based on known success stories, and to avoid diluting the GDPR as it risks damaging the future of EU's digital policies.