The European Commission’s May 2025 Simplification Omnibus IV proposal marks a meaningful inflection point in EU data privacy regulation. By extending the Article 30(5) record-keeping exemption to organisations with fewer than 750 employees — provided their data processing does not pose a high risk to data subjects — Brussels is signalling a deliberate shift from regulatory absolutism toward economic pragmatism. For CFOs, General Counsel, and compliance officers at mid-market enterprises, this is not merely an administrative relief measure. It is an opportunity to recalibrate your enterprise risk management framework ahead of a more complex regulatory landscape that is simultaneously expanding in scope.

Understanding the Scope of the Article 30(5) Amendment

Under the current GDPR framework, Article 30(5) already exempts organisations with fewer than 250 employees from maintaining comprehensive records of processing activities — unless processing is likely to result in a risk to data rights, involves special category data, or is not occasional. The Omnibus IV proposal triples that threshold to 750 employees, bringing a substantial cohort of small and mid-cap enterprises (SMCs) within scope of the exemption.

The critical qualifier, however, is the ‘high risk’ carve-out. Organisations processing sensitive personal data, operating automated decision-making systems, or deploying high-risk AI tools will remain subject to full Article 30 obligations regardless of headcount. This intersection is not incidental — it directly anticipates the EU AI Act, which enters full application in August 2026 and creates explicit compliance overlaps with GDPR for any high-risk AI system processing personal data.

General Counsel should note that the exemption is permissive, not prescriptive. Maintaining robust records of processing activities remains a cornerstone of defensible corporate governance and will be scrutinised under the European Data Protection Board’s newly launched Coordinated Enforcement Framework (CEF) 2026, which focuses specifically on transparency and information obligations — how clearly organisations explain data processing to individuals.

The AI-GDPR Compliance Intersection: A Compounding Risk

While Omnibus IV reduces administrative burden at one end of the spectrum, the regulatory stack is growing denser at the other. The proposed GDPR amendments clarify that AI providers may rely on legitimate interest as a lawful basis for AI model development using personal data — but only where enhanced safeguards are applied and data subjects retain an unconditional right to object. This is a nuanced concession, not a broad licence.

For CTOs and Chief Data Officers deploying machine learning or generative AI tools that ingest personal data, the practical implications are significant:

  • Data governance frameworks must be updated to document the legitimate interest assessment and the safeguards applied, even where the Article 30 record-keeping obligation is lifted.
  • Human oversight mechanisms required under the EU AI Act for high-risk systems must be architecturally integrated, not retrofitted post-deployment.
  • Data subject rights workflows — particularly the right to object — must be operationally functional, not merely stated in privacy notices.

Separately, the Digital Omnibus proposal’s move to eliminate consent requirements for approximately 60% of cookies by establishing a list of low-risk purposes — including audience measurement and security maintenance — will reduce friction for digital operations while requiring legal teams to re-map consent architectures accordingly.

Implications for Corporate Governance and M&A Due Diligence

From a corporate governance and transaction perspective, the Omnibus IV amendments introduce both opportunity and complexity. In M&A contexts, data privacy compliance has become a material diligence item — particularly for targets operating AI-driven products or holding significant volumes of personal data. The expanded exemption threshold may create a false sense of compliance readiness in target companies that have deprioritised data governance on the assumption that the exemption covers their exposure.

Board members and M&A Directors should ensure that data privacy due diligence frameworks are updated to assess not just whether a target is technically exempt under Article 30(5), but whether its processing activities would qualify as high-risk under the revised criteria — and whether its AI systems are on a credible path to EU AI Act compliance by August 2026.

From an ESG reporting standpoint, data privacy governance is increasingly treated as a proxy for broader operational integrity. Institutional investors and rating agencies are beginning to factor data stewardship into ESG assessments, making robust privacy programmes a reputational and financial asset, not merely a compliance cost.

Key Takeaway for Decision-Makers

The Simplification Omnibus IV offers genuine administrative relief for qualifying mid-market organisations — but it does not reduce the strategic importance of data privacy and AI governance. The regulatory environment is becoming simultaneously lighter in form and heavier in substance. Organisations that treat the 750-employee exemption as a reason to deprioritise compliance investment will be poorly positioned when the EU AI Act takes full effect and CEF 2026 enforcement actions begin. The pragmatic response is to use the administrative headroom created by Omnibus IV to invest in higher-order governance: AI risk registers, legitimate interest assessments, and cross-functional data stewardship programmes that will withstand both regulatory scrutiny and transactional due diligence.