GDPR compliance: Why low-risk data processing can still create risk

GDPR compliance gaps don’t always come from high-risk data processing and sometimes come from seemingly low-risk activities that no one thinks to question. Organisations can often prioritise their compliance reviews on obvious areas, such as special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal..., large-scale profiling, and international data transfers. These activities carry a higher risk of harm to individuals and often trigger additional GDPR obligations. But it can also mean lower-profile processing is reviewed less often, or not at all.  

Risk is not determined solely by the type of data involved. Organisations must take account of how processing activities are designed, how data flows through systems, whether data is being combined, and how it is ultimately used. As a result, seemingly routine activities can present elevated risks if they are not fully assessed. 

Key takeaway: GDPR risk is not determined by data type alone. Routine processing should be reviewed in context and include purpose, data flows, system access changes and ongoing use, so compliance gaps can be identified before they become embedded. 

In this blog, we explore where lower-risk processing activities are commonly overlooked, why this leads to compliance gaps, and how organisations can take a more effective, risk-based approach to GDPR compliance. 

• Difference between high and low-risk data processing 
• Commonly overlooked data processing activities 
• How assumptions lead to GDPR compliance gaps 
• EU/UK regulator expectations of GDPR risk assessments
• How organisations can identify and manage hidden GDPR risks
• Frequently asked questions 

What’s the different between high-risk and low–risk data processing under the GDPR?

The General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) does not define ‘high-risk’ and ‘low-risk’ processing. Instead, it requires organisations to assess risk based on the potential impact to individuals’ rights and freedoms.   

Processing is typically considered high risk where it could result in significant impact in individuals’ rights and freedoms, such as: 

• Systematic and extensive profiling with legal or similarly significant effects 
• Large-scale processing of special category or criminal conviction data 
• Systematic monitoring of public areas 
• Use of new or innovative technologies 
• Data relating to particularly vulnerable individuals or children 

In these cases, a Data Protection Impact AssessmentA formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project. (DPIA) must be conducted. 

Examples of processing ‘likely to result in high risk’ 

Low-risk processing is generally an activity that is unlikely to result in significant impacts. However, this should not be assumed. Organisations must carefully assess the whole processing activity, including how data is accessed and used in practice, the context in which it is processed, and whether it could be combined with other data to increase risk. 

Which data processing activities are commonly overlooked or under-assessed?

Internal communication and collaboration tools

Internal communications are some of the most context-rich data environments. Chat messages, shared documents, and senior communications frequently contain HR discussions, health-related information, grievance records, or commercially sensitive decisions. 

The key risk is not the existence of this data, but how it is retained, accessed, and shared. For example, persistent chat histories or broad access permissions can increase exposure unnecessarily. 

Simple mitigation measures, such as defined retentionIn data protection terms, a defined period of time for which information assets are to be kept. periods for chat data and tight access controlsA series of measures (either technical or physical) which allow personal data to be accessed on a need-to-know basis., can significantly reduce this risk. 

Email 

Email is rarely subject to the same level of scrutiny as other systems, yet it often acts as a central hub for personal dataInformation which relates to an identified or identifiable natural person..  

The risk is driven by how long data is retained, how easily it can be shared or forwarded, and how vulnerable accounts are to compromise.  

In practice, this makes email a common entry point for data breaches. Organisations should therefore treat email as a processing environment that requires active management and clear staff training, not just a communication tool. 

Customer service and routine interactions 

Customer interactions themselves are not inherently high risk, but often involve identity verification data, account details, and contextual information about individuals. The risk arises from how that data is stored, analysed, and reused. 

For example:  

• Is customer data being used for analytics, and if so, is it properly anonymisedAnonymised refers to data that has undergone a process of transformation to remove or alter personal data in such a way that individuals can no longer be identified from it, and it is impossible for that process to be reversed and the data to be re-identified. Anonymised data is considered non-personal and falls outside the scope of the GDPR.? 
• Are patterns in the data being used to make decisions about individuals? 

When data is reused in this way, organisations must consider fairness, transparency, and accuracyIn data protection terms, the concept of ensuring data is not incorrect or misleading., particularly where decisions may impact individuals. They should also ensure employees with access to this information receive appropriate training, including understanding what information should be used to verify an individual. 

Aggregation and data combination

Organisations often combine information collected from different sources, such as bringing data together within a central CRM system. Organisations must ensure this information is appropriately assessed and used fairly, particularly where aggregated data is used to draw conclusions about individuals or groups. 

This is especially relevant where data is used to profile behaviour, predict outcomes, or support automated decision-making. In these cases, organisations should consider whether the processing could lead to unfair or inaccurate outcomes, and whether appropriate safeguards are in place. 

Why do assumptions lead to GDPR compliance gaps? 

When processing activities are not fully assessed, risks are more likely to be overlooked. As a result, controls may not be applied consistently and risks relating to access, storage, or downstream use may go unidentified. 

Over time, this can expose organisations to: 

• Unauthorised access or disclosure  
• Data misuse  
• Regulatory scrutiny  
• Loss of trust from customers, employees, and stakeholders 

What do EU and UK regulators expect from GDPR risk assessments?

Regulators expect organisations to evidence risk has been actively assessed and managed in context. This means considering both the likelihood and severity of harm to individuals and ensuring that controls remain appropriate as circumstances evolve. 

In practice, organisations should be able to demonstrate that they have: 

• Considered how data could be accessed, misused, or combined  
• Assessed whether existing safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... are effective against current threats  
• Adapted their approach as systems, processes, or risks change 

The focus is not on whether processing is labelled ‘low risk’, but whether that assessment is justified and kept under review. 

How can organisations identify and manage the hidden GDPR risks?

Addressing hidden risks requires a shift from assumption to active assessment. Organisations should:

• Map data flows from collection to deletion Asses how data flows through each activity, from collection to storage, use, and deletion. This helps identify risks that may not be visible when looking at individual components in isolation.
• Review access, storage, and context Consider who can access the data, how it is stored, and whether controls are proportionate to the potential impact on individuals.
• Assess how data is reused in practice Look beyond the original purpose and consider whether data is being reused for analytics, profiling, or decision-making. This is often where additional risks arise. This helps identify risks that may not be obvious from documentation alone.
• Implement appropriate GDPR risk controls Once risks are identified, organisations should ensure that appropriate controls are in place. This may include retention limits, access restrictions, anonymisation techniques, or system-level safeguards.
• Embed ongoing reviews Risk is not static. As systems, processes, and threat landscapes evolve, assessments should be revisited to ensure controls remain effective.
• Use independent challenge to test assumptions Independent oversight can help identify blind spots and ensure consistency in how risk is assessed. A Data Protection Officer can support this by reviewing assessments, challenging assumptions, and helping ensure that mitigation measures align with how processing operates in practice.

Frequently asked questions 

What is considered low-risk data processing under GDPR?

Low-risk processing is generally understood as an activity that is unlikely to result in harm to individuals. However, this depends on context. Even routine processing can present risk depending on how data is accessed, shared, or combined with other datasets.

Can low-risk data processing still require safeguards?

Yes. All processing under the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. must be subject to appropriate technical and organisational measures. Classifying processing as low risk does not remove the need for controls, it simply affects how those controls are applied.

Do low-risk processing activities require a DPIA?

Not usually. A Data Protection Impact Assessment (DPIA) is required where processing is likely to result in a high risk to individuals’ rights and freedoms. However, organisations should still assess risk carefully, as activities initially considered low risk may change over time or when combined with other data.

If you’re unsure whether your organisation’s data processing activities have been accurately assessed, our DPOs can provide independent review and practical guidance to help identify hidden risks and strengthen your approach. Contact us today to find out more.

In case you missed it…

• Privacy Management Platforms: A practical guide for strengthening privacy operations 
• Building a privacy office: Key strategies for EU/UK compliance 
• GDPR DPO requirements: What qualifies as large-scale processing?