The General Data Protection Regulation (GDPR) is based on the risk-based approach. In other words, companies/organisations processing personal data are encouraged to implement protective measures corresponding to the level of risk of their data processing activities. Therefore, the obligations on a company processing a lot of data are more onerous than on a company processing a small amount of data.
For example, the probability of hiring a data protection officer for a company/organisation processing a lot of data is higher than for a company/organisation processing a small amount of data (in that case this links to the notion of processing of personal data on a ‘large scale’). At the same time, the nature of the personal data and the impact of the envisaged processing also play a role. Processing of a small amount of data, but which is of a sensitive nature, for example health data, would require implementing more stringent measures to comply with the GDPR.
In all cases, the principles of data protection must be respected and individuals allowed to exercise their rights.