For nearly eight years, every European business with 250 or more employees has been required to maintain a 'record of processing activities' (ROPA) under Article 30 of the General Data Protection Regulation. The original idea was sound: force organisations to take stock of what personal data they hold, why they hold it, and where it flows. In practice, Article 30 became a paperwork ritual that scaled poorly with company size and, increasingly, a symbol of the GDPR's reputation for box-ticking.
The European Commission's 2025 'Omnibus' simplification package — part of President von der Leyen's competitiveness agenda following the Draghi report — proposes a modest fix: raise the employee threshold for the Article 30(5) exemption so that small mid-cap enterprises (SMCs), not just SMEs, can skip the formal ROPA requirement when their processing is low-risk. The debate spilling into 2026 has been louder than the change itself warrants.
What the Omnibus actually changes
Article 30(5) of the GDPR already exempts organisations with fewer than 250 employees from maintaining records of processing — unless their processing is likely to result in a risk to data subjects, is not occasional, or involves special categories of data. That carve-out has always been narrow in practice: most firms with customer databases or HR files end up keeping ROPAs anyway.
The Omnibus would extend that baseline exemption to the newly defined category of 'small mid-cap' enterprises — businesses with up to 750 employees, sitting between SMEs and full-scale corporates. The risk-based exceptions in the original Article 30(5) remain intact. A firm processing health data, running automated decision-making, or systematically profiling users would still be obliged to document its operations regardless of headcount.
This is not, in other words, a repeal of accountability. It is a recalibration of who must produce one specific compliance artefact.
The case for proportionality
The Commission's own evidence base — including the Draghi report on European competitiveness and a series of impact studies on regulatory burden — has consistently flagged GDPR compliance costs as disproportionately heavy on growing European businesses. ROPA documentation in particular has spawned a small consultancy industry without obvious commensurate benefits to data subjects.
The accountability principle in Article 5(2) GDPR does not disappear when Article 30 obligations are eased. Controllers remain bound by:
- Article 5 lawfulness, fairness, and transparency principles
- Article 13–14 information obligations to data subjects
- Article 32 security-of-processing requirements
- Article 33–34 breach notification duties
- Article 35 Data Protection Impact Assessments for high-risk processing
None of these are touched by the Omnibus. A regulator investigating a breach at a 600-person SaaS company will still demand evidence of lawful basis, retention policies, and security controls — they will simply not be able to fine the company for failing to keep a specific spreadsheet.
The critics' concern, fairly stated
EDRi and Max Schrems' NOYB have argued that ROPA documentation is the connective tissue that makes other GDPR obligations enforceable: without a written record, supervisory authorities lose visibility into what is actually happening inside companies. There is something to this. ROPAs are often the first document a Data Protection Authority requests during an audit, and they discipline internal data governance.
'Accountability is meaningless if it cannot be inspected,' EDRi argued in its response to the Omnibus consultation — a defensible position, but one that assumes the only inspectable accountability is the one currently codified in Article 30.
The counter-argument is that for a 400-person logistics firm processing routine commercial data, a formal ROPA contributes little to actual data subject rights, while consuming legal-and-DPO time that could be spent on substantive controls. Regulators have always retained the power to request documentation under Article 58 investigative powers; the Omnibus does not curtail that.
A test for the EU's reform credibility
The bigger story is whether Europe can actually simplify its own rulebook. The Draghi report estimated that EU regulatory compliance costs are equivalent to a meaningful share of business operating expenses for mid-sized firms, and the Commission has committed to reducing reporting burdens by roughly 25% for companies and 35% for SMEs by the end of this mandate.
Walking that commitment back at the first sign of NGO pressure would signal that the EU's competitiveness pivot is rhetorical. Holding the line on a narrow, risk-based adjustment — while preserving the substantive privacy protections that have made GDPR a global benchmark — would signal the opposite.
Our take
The Article 30 amendment is exactly the kind of edit the GDPR needs: targeted, evidence-led, and reversible. It does not weaken the rights of data subjects; it removes a paperwork obligation from firms that the regulation's own risk-based architecture was never meant to capture in the first place. If Brussels can resist the binary framing that any change is a 'gutting' of the GDPR, the Omnibus could become a template for the kind of mature, proportionate regulation Europe says it wants.
The harder work — clarifying legitimate interests, fixing cross-border enforcement, and ending the cookie-banner farce — still lies ahead.