In today’s digital economy, organisations increasingly rely on processing vast amounts of personal data to deliver services, generate insights, and drive innovation.

But with great processing power comes great responsibility. Under modern data protection laws such as the EU’s General Data Protection Regulation (GDPR) and the UK GDPR, organisations engaging in large-scale processing must meet specific obligations to safeguard individuals’ rights and freedoms.

What Is “Large-Scale Processing”?

The term is not precisely defined in the GDPR, but regulators and guidance documents (such as those from the European Data Protection Board) provide criteria to assess whether data processing qualifies as large-scale. Factors include:

  • Volume of data: How many records or data points are being processed?
  • Number of individuals affected: Does the processing impact thousands, millions, or more?
  • Duration or permanence: Is the processing continuous, repeated, or short-term?
  • Geographical scope: Is the data limited to a small community or spread across regions and countries?

What Counts as “Large” in Numbers?

Neither the GDPR nor the UK GDPR specifies an exact numerical threshold for what constitutes large-scale. Instead, regulators assess the context and impact.

In a recent webchat with the Information Commissioner’s Office (ICO), the representative explained that there is deliberately no strict numerical definition:

“Large scale is not numerically defined in our regulations, as it is for the organisation to determine and justify this definition themselves. We usually provide an example for these types of organisations as one like the NHS or Google.”

When pressed on whether 10,000 individuals could be considered large-scale, the ICO clarified:

“10,000 would begin to tip the scale into this territory. If in doubt I suggest you consider large scale processing.”

The ICO’s advice highlights that numbers alone are not the deciding factor; the type of data, its sensitivity, and the scope of processing also matter. Still, the reference point of 10,000 records gives organisations a practical sense of when they may need to treat their processing as large-scale.

Further guidance can be found on the ICO’s website in their section on Data Protection Impact Assessments (DPIAs): ICO Guidance on DPIAs.

Why Does It Matter?

Large-scale processing often carries higher risks to individuals’ privacy and freedoms. The bigger the dataset and the broader the scope, the greater the potential for misuse, data breaches, or unintended consequences. So what should you do if you are processing large-scale data?

  1. Appoint a Data Protection Officer (DPO) Organisations whose core activities involve large processing are legally required to appoint a DPO which may just be a DPO as a Service for a few hours a month rather than a FTE post.
  2. Undertake a Data Protection Gap Analysis Find out what you’re missing with regards to your compliance with Data Protection by undertaking a gap analysis and then receive a compliance plan with levels of risk associated so that you can tackle it piece by piece.
  3. Heighten your Security and Governance Put in place stronger technical and organisational measures—such as encryption, anonymisation, and access controls and password policies.
  4. Transparency and Accountability Organisations must be clear with individuals about how their data is used, and they must be able to demonstrate compliance to regulators. So you need to know what you have, why you have it and how long you will keep it.  So a degree of Records Management needs to be reviewed.

Final Thoughts

Large-scale processing is both a business necessity and a regulatory responsibility. Done well, it allows organisations to harness the power of data whilst preserving the trust of individuals. Done poorly, it can lead to reputational damage, heavy fines, and erosion of public confidence.

In the end, successful organisations won’t just ask, “Can we process this data?”—they’ll also ask, “Should we, and how do we protect the people behind the data?”

CVG Solutions offers Data Protection Officer as a Service (DPOaaS) packages from £129.50 a month.  Get in contact if you think you need our services and we can have a free chat to see if it’s right for you. Contact us on info@cvgsolutions.co.uk

#DataProtection #GDPR #DataPrivacy #BigData #LargeScaleProcessing #DataGovernance #DPO #ComplianceServices