+ INFORMATION

New Eip Logo
Events EIP Talent Student access
  • es_ES
  • en_GB

Share on social networks!

What is large-scale data processing?

by
What is large-scale data processing?

To define a concept as diffuse and not very specific as that of "big scale", present in the RGPD, in the cases of mandatory appointment of Data Protection Officers, or in the cases of need to carry out a Privacy Impact Assessment, we have to go to the ““Guidelines on data protection officers (DPO)” of the Working Group on data protection of article 29, where he makes an approach to said concept.

Analyze if a treatment is large scale

In addition to giving examples, it is mentioned that, to determine by a person responsible or in charge of the treatment when there is a "large-scale" treatment, they must take into account the following aspects:

  • He number of affected stakeholders, either as a specific figure or as a proportion of the corresponding population
  • He data volume or the variety of data elements that are subject to processing
  • The duration or permanence of the data processing activity
  • He scope geographical of the treatment activity.

What is large-scale data processing?

Risk analysis in the processing of personal data subject to RGPD

Once we are clear about the aspects that we must evaluate to know if we are in the presence of a large-scale treatment, we must encrypt, or make clear, the quantity scales for each of the aspects to be evaluated. To do this, (in the absence of legal regulation) we can go to the “Practical guide to risk analysis in the processing of personal data subject to the RGPD” of the Spanish Data Protection Agency, in whose Annex I (Template for analysis of the need to carry out a DPIA) the following are established:

  1. The number of affected subjects (that is, how many interested parties will be subject to this treatment) 
  • From 0 to 10,000 (1)
  • From 10,000 to 100,000 (2)
  • + than 100,000 (3)
  1. The duration of treatment 
  • Instant (1)
  • Days (2)
  • Weeks (3)
  • Months (4)
  1. The geographical extent of the treatment 
  • Treatment at regional level (1)
  • National (2) 
  • International (3)

Guide for the management and notification of security breaches

However, this template offers solution to three of the four aspects to analyze to verify whether a treatment is large-scale or not.

The fourth refers to the volume of data or the variety of data elements that are processed. To establish scales or figures in this regard, we can go to the “Guide for the management and notification of security breaches” of the Spanish Data Protection Agency, in whose Annex III, establishes the following scales:

  • Less than 100 records (1)
  • Plus 1,000 (2) (there is a typo, it should be more than 100)
  • Between 1,000 and 100,000 (3) 
  • More than 100,000 (4) 
  • More than 1,000,000 (5)

Calculation formulas

Once we have put figures to the four aspects to analyze to determine if a treatment is large scale, we must establish calculation formulas.

For it. we assign increasing numbers to each scale; and, knowing that the maximum sum of the four aspects is 15, we can establish, as a guide, that a treatment is large-scale, when the sum is equal to or greater than 9. 

Let's look at an example to understand this calculation system.

  1. The number of affected subjects is 120,000 people
  2. The treatment will last months.
  3. The treatment will have a national geographical extension
  4. The affected data is 50,000 (records)
large scale data processing

This is an indicative way of quantitatively establishing the concept of large scale, but nothing prevents other mathematical formulas from being chosen.

Senior Consultant in Data Protection and Criminal Compliance.

 

Subscribe to our newsletter to stay up to date with all the news

Basic information on data protection.
Responsible for the treatment: Mainjobs Internacional Educativa y Tecnológica SAU
Purpose: Manage your subscription to the newsletter.
Legitimation for processing: Explicit consent of the interested party granted when requesting registration.
Transfer of data: No data will be transferred to third parties, except under legal obligation.
Rights: You may exercise the rights of Access, Rectification, Deletion, Opposition, Portability and, where applicable, Limitation, as explained in the additional information.
Additional information: You can consult additional and detailed information on Data Protection at https://www.mainfor.edu.es/politica-privacidad
Blog Master Dpo

Leave a comment

Members of 

Latin American Council Schools Admission Logo
Business School Logo
Euphe 1
Euphe 2

Recognitions

Qs Rating Horizontal 0
Qs Rating Horizontal 4
Qs Rating Horizontal 1
Qs Rating Horizontal 2
Qs Rating Horizontal 3
Qualificam Logo Footer

Educational partners

Harvard Negative (1)
Microsoft Academy (1)
Aws Academy Logo Footer
Cisco Networking Academy White
Wca Logo
Ausape Logo
Logo Compliant Professional Association White
Logo Aeca Footer
Buildingsmart Rgb Spain Chapter Member V2
Sage50 Cloud Logo Footer
Pmp Logo Footer
Global Suite Logo White
Minsoit Sap Svg
Nominasol Logo Footer
Cype Logo
Pvsyst Logo
Logo Capman Footer
Toeic Logo White
Python Institute Logo White
Its Logo White
Ccsp Badge
Cdpp
Cpcc
Legal warning Use of Cookies Privacy Policy Quality politics Complaint channel Registration Conditions join us

EIP Teatinos University Campus - Málaga - Spain

© EIP | International Business School 2010-2024

Trademark registered with the OEPM. No. 3,735,191