When the European Commission floated “simplified” record-keeping requirements under the General Data Protection Regulation—the gold standard in global privacy law—privacy professionals had hoped for less administrative burden and more proportionate compliance obligations for small and medium-sized businesses.
But the proposal that emerged this spring fell short of delivering the clarity and efficiency we need, and it doesn’t simplify anything for anyone.
The proposed changes center around the GDPR’s Article 30, which governs records of processing activities, or ROPAs. These records aim to keep companies accountable by requiring them to document their practices around processing personal data.
Under the proposal, more companies would be exempt from keeping these records. That might seem like a relief at first, but much of the same information companies must document in their ROPAs are required elsewhere in the GDPR, specifically in Article 13.
Article 13, which applies regardless of company size, requires organizations to provide transparency to data subjects at the moment of data collection—informing individuals of the purposes of processing, categories of data recipients, international data transfers, and storage periods. ROPAs require all this information.
While exempting more companies from Article 30 may reduce a few requirements for them, non-exempt organizations still must deal with the redundancies.
Genuine Simplification
If the goal is to reduce redundancy and lower administrative burdens, aligning Articles 13 and 30 would have been a more effective change to GDPR recordkeeping.
The overlap between the articles is considerable, and by consolidating these into a single, living document—kept current and made public—organizations could efficiently meet transparency and accountability expectations.
This single-source approach would end duplicative documentation efforts across privacy, compliance, and legal teams; give consumers a central, up-to-date view of how organizations use their data (thus delivering on the GDPR’s transparency promise); and strengthen trust between companies and EU regulators.
Instead of fragmenting recordkeeping, we should be streamlining it. A public, consolidated privacy record is the most straightforward solution.
Also, most of the disclosure requirements under Article 30 are redundant with US state laws in California, Colorado, Connecticut, and Virginia that require transparency around data categories, retention, and use cases. So for international organizations, this is far from a novel disclosure frontier.
Consolidating and simplifying these disclosures would help standardize transparency efforts across jurisdictions, which would be good news for consumers who often don’t understand such notices, according to Pew Research Center.
Addressing Concerns
Some privacy professionals may worry that expanding requirements for public disclosure would make privacy policies even longer and more difficult to understand. But it’s not the information that makes privacy policies unreadable—it’s the way they’re written.
Plain language, clear headings, and thoughtful visual aids go a long way toward making complex information accessible. This is a content strategy problem, not a regulatory one.
Others might have concerns about publishing technical and organizational records required under Article 30 to the public. But this is another manageable issue.
If there are specific categories of information (such as proprietary security controls) that companies truly can’t publish, they shouldn’t have to. Organizations could withhold some proprietary details while still meeting disclosure expectations, with supervisory authorities retaining the right to request full records if necessary.
Collaboration Over Exemption
The missed opportunities in this GDPR simplification attempt highlight the need for more dialogue between policymakers and the professionals tasked with operationalizing the GDPR on the ground.
Those of us managing real-world compliance programs understand where the burdens and opportunities lie. My fellow privacy leaders aren’t calling for fewer responsibilities—we’re just asking for smarter, better-aligned ones.
The European Commission’s intent to reduce complexity is commendable. But to make compliance easier and more meaningful, it’s worth reconsidering what simplification actually looks like for all affected.
Exemptions may help some, but a unified, transparent, and purpose-built framework would help regulators, businesses, and individuals alike.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.
Author Information
Ron De Jesus is field chief privacy officer at data privacy platform Transcend. Formerly the chief privacy officer of Grindr, he has experience helming privacy programs at companies such as Match Group and Coach.
Write for Us: Author Guidelines
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.