Five proposals after five years with the GDPR

On May 25, 2023, the GDPR has been in force for five years for the processing of personal data in the EU. Here are five proposals for improvements ahead of the European Commission’s upcoming evaluation.

1. Simplify the use of artificial intelligence, data analytics and data sharing

• Allow machine learning and data analytics aimed at extracting aggregated knowledge at group level

• Allow the processing if anonymisation measures listed in complementary secondary legislation is done

• Introduce a supplementary EU regulation allowing data processing for socially beneficial purposes

2. Adapt the accountability principle to the less privacy intrusive processing

• Limit the obligation to investigate and document- if less-privacy-intrusive processing

• Clarify the exemption for smaller businesses from the record obligation in Article 30(5)

3. Limit the obligation to request prior consultation

• Make it a voluntary option, in order to obtain the DPA’s assessment of how risks should be managed

4. Greater flexibility is needed to process sensitive personal data and data relating to criminal convictions and offences

• Introduce a new exception to the prohibition on processing sensitive personal data in Article 9 of the GDPR in the event of conflicting interests, or where the need for protection is limited.

• Further expand the article 10 – which concerns the processing of data relating to criminal convictions and offences – clarify when processing in the private sector is allowed.

5. Make the system with Codes of Conduct work

• The European Commission should be given a wider responsibility for initiating, organising and administering the work on Codes of Conduct, CoC