Large scale processing of personal data provides some indication that the activity an organisation is undertaking might be a higher risk. If large scale processing is combined with other high risks, such as processing sensitive personal data, then a Data Protection Impact Assessment (DPIA) may be required. However, there is no clear definition of what ‘large scale’ means, therefore the definition is in some respects open to interpretation. 

However, if we were to consider large scale processing we should take into account:

• the volume of data
• the number of individuals concerned
• the variety of data;
• the duration of the processing; and
• the geographical extent of the processing.

The UK supervisory authority provides the following as examples of large scale processing:

• a hospital (but not an individual doctor) processing patient data;
• tracking individuals using a city’s public transport system;
• a fast food chain tracking real-time location of its customers;
• an insurance company or bank processing customer data;
• a search engine processing data for behavioural advertising; or
• a telephone or internet service provider processing user data.

Individual professionals processing patient or client data are not processing on a large scale.

Further information is available in our blog on the subject, found here.

The ICO offers a little more guidence here.