GDPR reform: Opening Pandora's box

Translating to "all-gifted," or "she who sends up gifts" the Greek myth goes that Pandora was created by the gods and bestowed with blessings and charms. In many ways, she was made and seen as perfect. Told never to open a jar, latterly mistranslated as a box, curiosity got the better of Pandora and, in opening the jar, she released all manner of evil.

The EU General Data Protection Regulation, and EU data protection law more broadly, have been heralded as the "gold standard." It has been an archetypal regulatory product and progenitor of the "Brussels effect." Urged on by the reports of two former Italian Prime Ministers Enrico Letta and Mario Draghi and in approaching its ninth anniversary since adoption, and seventh since becoming applicable, EU policy and lawmakers are considering whether and how to reform the GDPR in ways that support the competitiveness of European enterprises by not "imposing unnecessary burden."

The proposal concerns limited and targeted changes to the GDPR in view of simplifying it or extending certain measures currently applicable to small and medium-sized enterprises to include small mid-cap enterprises that have "outgrown the SME definition."

Article 30 of the GDPR requires data controllers and processors to maintain a record of data processing activities and prescribes out what information this record should contain, such as the purposes of the processing, the description of the categories of data, the categories of third-party recipients of the data and, where possible, a description of technical and organizational security, among other matters.