Stefano Gazzella : 1 October 2025 15:17
A wonderfully widespread argument among those who work with personal data is that of underestimating the risks or refusing to address them at all. This is the belief that there’s no need to worry about processing “non-sensitive” data. The ontological premise for seeking solutions and corrective measures in the areas of lawfulness and security is the ability to ask the right questions. This is why a tendency to overly easily skip data cannot constitute a functional or even minimally useful strategy.
Of course, sensitive data exists under the GDPR and requires high levels of protection. However, this doesn’t mean that all other types of data (improperly called “common” by those who simply need to create unnecessary categories) can be dispensed with in terms of proper risk management. Non-sensitive cannot in any way mean “unprotected,” not even through the most unscrupulous interpretation.
While recklessness involves behaviors that select cost-effective options in defiance of the rules, forcing data subjects to pay the security costs, the source of behaviors that lead to underestimating the importance of protecting all personal data is often attributable to a genuine lack of awareness. Caution: this assumption does not open the door to less serious scenarios or those in which a lower level of liability may be possible.
Hacking non-sensitive data, such as simple identifying information, can have devastating consequences for the data subject. Consider that most phishing attacks involve contact information, with a higher probability of success if access includes information such as consumer habits or other information that can be expressed or inferred but is otherwise not particularly sensitive. The possibility of linking information to a data subject, in fact, exposes them to greater risks of identity theft, fraud, or a range of unpleasant consequences that are unfortunately part of everyday digital life.
The availability of this data to cybercriminals stems from OSINT activities, but also from the ability to find breached databases. These databases are breached as a result of actions carried out using simple contact information and are enriched through further breaches, increasing the effectiveness of subsequent attack campaigns.
Ignoring all this is, nowadays, unjustifiable for an organization that carries out activities on personal data, regardless of data maturity.
The issue of security and data breaches is therefore a particularly compelling argument for not underestimating the protection of all personal data, but there is an additional factor: the lawfulness of processing. While security of processing is a requirement under the GDPR, there are also other recurring violations that should raise awareness of the impact of violating the “rules of the game” from the outset, such as:
Obviously, all of this leads to the creation of databases outside of the data subject’s conscious control. And it creates easy profit opportunities for cybercriminals, since a lack of strategy, such as that evident in the breaches cited above, leads to data accumulation without creating value. And in the absence of value, there is no perception of any asset needing to be protected.
The solution is to think about the sustainable use of personal data. The law specifies and regulates responsibilities, but a correct strategic approach knows how to think in terms of the value generated and not exclusively focusing on cost components, such as finding excuses or justifications for doing the bare minimum .
Otherwise, it’s easy to fall into traps, such as the belief that only sensitive data needs to be protected or monitored. This creates all the management blind spots that inevitably lead to the inadequacy of the measures in place.
Spoiler alert: data subjects are aware of this. And they’re unlikely to select services from those who can’t guarantee sustainable use of their data.
Stefano Gazzella