🔍 A reform that seems attractive at first glance
Under the guise of reducing administrative burdens for SMEs, the European Commission is considering:
- Extending the exemption from maintaining a record of processing activities to organizations with fewer than 750 employees (up from 250); and
- Eliminating the criterion of “occasional” processing.
Â
A double simplification on the surface… but a major step backward in reality
Indeed, this reform does not simplify – it dismantles. The record of processing activities is not a bureaucratic formality – it’s the essential navigation tool that allows us to:
- Map data flows and detect vulnerabilities
- Demonstrate compliance (accountability principle)
- Anticipate Data Protection Impact Assessments (DPIAs)
- Secure partnerships and optimize processing activities
Without their record, DPOs are like doctors without medical files.
How can they identify risks? How can they build a sound security policy? How can they respond to data subject rights requests?
Without this tool, they operate blindly amid “dark zones” and “uncontrolled flows.”
Â
đźš« What are the risks?
Yes, this reform would spare SMEs the initial costs of compliance. But it exposes them to far greater financial risks. Each DPIA costs around €3,000, and some companies need to conduct up to 8 per year. Without a preventive registry, these costs skyrocket.
Moreover, the CNIL issued 87 sanctions in 2024, amounting to a total of €55,212,400 in fines – clear proof that enforcement is ramping up. In this repressive context, eliminating the primary traceability tool is reckless.
It’s not the record that is costly to companies – it’s the bad practices it uncovers. Abolishing it amounts to creating a two-tier GDPR.
Â
This proposal risks dragging Europe back into an outdated digital world – marked by opacity and information asymmetry. In the data economy, trust is an invaluable asset we cannot afford to squander.
