What is Large Scale Processing under GDPR?
Large Scale Processing is a critical regulatory classification under the GDPR used to identify data activities that involve significant volumes of personal information or affect a vast number of individuals. It is determined by assessing the number of data subjects, the volume of data, the duration of processing, and the geographical extent of the operation.
What are the Four Factors Used to Define Large Scale Processing?
To determine if an activity constitutes Large Scale Processing, organizations must evaluate four specific criteria: the number of data subjects (either as a specific figure or a percentage of the population), the volume of data items being processed, the duration or permanence of the data activity, and the geographical extent of the processing.
These factors allow for a nuanced assessment rather than relying on a single numerical threshold. For example, a hospital processing patient data or an insurance company tracking real-time geodata are typically considered large scale. In contrast, a single physician or lawyer processing client data is generally classified as small-scale and does not trigger the same stringent regulatory requirements under the Data Protection Act 2018.
The UK supervisory authority provides the following as examples of large scale processing:
- a hospital (but not an individual doctor) processing patient data;
- tracking individuals using a city’s public transport system;
- a fast food chain tracking real-time location of its customers;
- an insurance company or bank processing customer data;
- a search engine processing data for behavioural advertising; or
- a telephone or internet service provider processing user data.
When Does Large Scale Processing Trigger the Need for a DPO or DPIA?
Under Article 37 of the GDPR, appointing a Data Protection Officer (DPO) is a statutory requirement for any organization whose core activities consist of large scale processing of sensitive data or the systematic monitoring of individuals. Because these high-volume activities carry inherently greater risks, they also necessitate a formal Data Protection Impact Assessment (DPIA).
As Mark Roebuck, an expert in Data Protection Compliance, notes: “Large-scale operations require more than just a registry; they demand a proactive accountability framework to mitigate risks before they impact the data subject.” Implementing these measures ensures that the Data Controller can demonstrate compliance to supervisory authorities during an audit or data breach investigation.
Further information is available in our blog on the subject, found here.
How Can ProvePrivacy Help Demonstrate Large Scale Data Management?
ProvePrivacy simplifies the complexities of managing high-volume data by providing a Record of Processing Activities (RoPA) module that identifies large-scale triggers. The platform facilitates mandatory DPIAs, tracks the geographical reach of data transfers, and ensures that your DPO has real-time visibility into all processing activities to maintain continuous regulatory compliance.
Comparison: Manual Tracking vs. ProvePrivacy Automation
| Feature | Manual Spreadsheets | ProvePrivacy Platform |
|---|---|---|
| Volume Assessment | Subjective and inconsistent | Data-driven volume tracking |
| DPO Requirement Alerts | High risk of manual oversight | Automated Article 37 notifications |
| Risk Mitigation | Fragmented and reactive | Integrated DPIA workflows |
| Geographical Mapping | Difficult to visualize/audit | International data transfers identified |
| Regulatory Evidence | Manual data consolidation | Audit-ready reports |
Sources
- Data Protection Act (2018): https://www.legislation.gov.uk/ukpga/2018/12/contents
- Working Party 29 (WP29) Guidelines on DPOs: https://ec.europa.eu/newsroom/article29/items/612053
