Simple now, Complex later: The Questionable Efficacy of Diluting GDPR Article 30(5)

Read the full article See related articles

Listed in

This article is not in any list yet, why not save it to one of your lists.
Log in to save this article

Abstract

The EU Commission recently introduced an amendment to the GDPR that extends the derogation to not maintain a record of processing activities under Article 30(5) to small and mid-cap organisations in addition to SMEs, with the intended goal of reducing reporting obligations and based on the Draghi report's recommendations for improving competitiveness. In this article, I systematically show how this exemption will effectively not provide any practical benefits as the information involved must still be collected to assess whether the exemption applies, and will be maintained elsewhere as it is required to fulfil other obligations. I also highlight how Article 30 records are a key requirement for oversight and accountability, and their absence negatively affects the organisation's data governance and compliance practices and makes it more likely to introduce risks and liability. I conclude with other avenues the Commission should consider based on responding to actual needs of organisations, taking advantage of RegTech/eGov technologies based on known success stories, and to avoid diluting the GDPR as it risks damaging the future of EU's digital policies.

Article activity feed