Data law | UK Regulatory Outlook May 2025

UK  

Data (Use and Access) Bill: Parliament continues to debate AI and copyright  

The Data (Use and Access) Bill has entered the "ping pong" stage where both Houses of Parliament have to agree the wording of the bill for it to become law. AI is the most contentious issue. See AI section for an overview of the Commons' and Lords' positions.  

EDPB approves the extension of adequacy decisions for the UK  

The European Data Protection Board (EDPB) has approved the extension of the two 2021 adequacy decisions with the UK for a period of six months, until 27 December 2025. The extension was previously proposed by the European Commission to allow time for the legislative process on the Data (Use and Access) bill to conclude. See this Regulatory Outlook.  

EU 

European Commission to reduce GDPR record-keeping burden for small/medium companies with fewer than 750 employees 

The European Commission has published a Single Market Simplification Proposal (its fourth Simplification Omnibus package). If adopted this will, among other things, simplify the EU GDPR record-keeping obligations for small and medium size enterprises (SMEs) and "small mid-cap companies" (SMCs) with fewer than 750 employees.  

The current position: 

• Article 30(1) of the GDPR is the obligation to maintain records of processing.
• Article 30(5) exempts SMEs and other organisations with fewer than 250 employees (with some exceptions).
• The exemption applies only if processing is only occasional, not likely to cause risk to data subjects, and does not involve special categories of personal data or data on criminal offences. 

The Commission is proposing: 

• Extending the current exemption under Article 30(5) to include SMCs and other organisations with fewer than 750 employees (and which are below a certain annual turnover threshold, in the case of companies – see below).  
• Changing Article 30(5) so the exemption would apply unless the processing is "likely to result in a high risk to the rights and freedoms of natural persons"; a change from the current provision which states that the exemption applies unless the processing is "likely to result in a risk" and is just occasional.  
• Adding a recital which will clarify that the processing of special categories of personal data in accordance with Article 9(2)(b) (that is, in to order to meet legal obligations in employment, social security or social protection law) would not, as such, trigger the record-keeping obligation. 

There would be associated amendments to GDPR Article 4 (to add definitions of micro, small and medium-sized enterprises, and for small mid-cap enterprises) and to Article 40 (codes of conduct) and Article 42 (certification mechanisms). 

The Commission has recommended that the definition of SMCs to be used should cover enterprises which have fewer than 750 employees and have either an annual turnover not exceeding EUR 150 million, or an annual balance sheet total not exceeding EUR 129 million. 

In a letter issued shortly before the proposal was published, the EDPB and the European Data Protection Supervisor expressed their "preliminary support" for the Commission's initiative, noting that they understand that there will be a consultation on the proposals, which will allow them to comment in more detail. 

Putting in place and operating the systems necessary to properly comply with GDPR record-keeping obligations is a particular burden (and cost) for many smaller businesses, so the proposed changes will be warmly welcomed by businesses and other organisations which come within the relevant definitions. 

Of course, these proposals are only for the EU GDPR, and not the UK's version, so businesses in the UK whose processing is caught by the EU GDPR will still have to comply with the more onerous UK obligations. Ironically, the previous UK government had proposed (under its Data Protection and Digital Information Bill (No. 2)) to largely eliminate the obligation to keep records under the UK GDPR unless they were likely to give rise to a high risk, but these proposals were dropped when the current government replaced it with the draft Data (Use and Access) Bill.