Large‑scale data collection (customers, employees, behavioural data, etc.) is undoubtedly a strategic asset for businesses, but it also exposes them to significant regulatory risks.
How can extensive data exploitation be reconciled with GDPR compliance? The answer is far from straightforward—and sanctions leave little room for error.
Exploit or Protect?
The GDPR does not set a specific limit on the volume of data that may be collected. However, a real gap exists between large‑scale use of personal data and strict compliance with legal requirements. Organisations processing substantial amounts of data all face the same question: when does lawful processing cross the line into illegality?
There is no single answer. The threshold depends on the sector, the business model and the specific context of each organisation.
From Consent to Legitimate Interest
Analysing the behaviour of millions of customers for marketing purposes is not unlawful per se, but it is legally complex. Consent, even when explicit, must be specific to each purpose and category of data, making it difficult to rely on at scale.
Legitimate interest may provide an alternative legal basis, provided it is strictly balanced against the rights and interests of the data subjects (respect for privacy, right to object, avoidance of excessive profiling). This balancing test is a GDPR requirement and must be formally documented in an accountability memorandum.
In the absence of such documentation, the processing is likely to be considered non‑compliant by the Belgian Data Protection Authority (DPA), with a high risk of sanctions.
This accountability memorandum is therefore central: it identifies the pursued interest, assesses less intrusive alternatives, evaluates the impact on individuals’ rights and describes the safeguards implemented.
Anonymisation: The Real Solution?
Some organisations believe that anonymising data is sufficient to remove it from the scope of GDPR. The Belgian DPA regularly reminds controllers that re‑identification is often possible by combining datasets that appear anonymised.
This creates a dilemma: the more data is anonymised, the less statistically relevant analyses may become. This is why it is crucial to determine, upstream and realistically, which data are genuinely necessary for the intended purposes.
Our advice:
Do not guess. GDPR compliance is not an administrative formality addressed through generic checklists. It is a strategic and legal issue that depends on your business model, your datasets and your sector.
Whatever your situation, it is time to obtain a clear and structured answer.
Contact us for a GDPR compliance audit and to identify your real risks.
