Joonas Lahtinen
fi
Back to blog
Production readiness

Data privacy in automation: how to handle sensitive information safely in workflows

Automation moves data from one place to another — often faster and more frequently than a manual process would. From a privacy perspective, this is a meaningful shift: when data flows automatically, it matters exactly what is being transferred, where it goes, and who can access it.

GDPR does not disappear from a workflow just because the process is automated.

What sensitive data means in automation

Sensitive data does not only mean social security numbers or medical records. In automation projects, you more commonly encounter:

Each of these calls for care — not because the law is complicated, but because data leaks or misuse cause real harm.

Three common data privacy risks in workflows

1. Overly broad permissions

Automations are often built with admin credentials because it is the quickest option. The result is a workflow with access to everything — including things it has no need to touch.

The right approach: create a dedicated service account or API key for the automation, with only the permissions the workflow actually requires. If an automation only reads one table, it does not need write access to the entire database.

2. Data left in intermediate storage

Many automation tools keep a run history, including the data that was processed. Every row of a customer list, every email body handled — all of it can sit in logs for years.

The right approach: check the platform's logging settings. Most allow you to limit what gets stored and for how long. For sensitive data, log metadata (processed successfully: yes/no) rather than the content itself.

3. Third-party services

Cloud-based automation platforms process data on their own servers. This is usually understood, but not always thought through: where are those servers, who can access them, and does the service agreement include a data processing agreement (DPA)?

EU-based services typically have a DPA available. US-based services vary — some operate under an adequacy decision replacement, others require Standard Contractual Clauses.

Practical principles

Minimum necessary: The automation handles only the data it needs. No extra fields, no precautionary copies stored just in case.

Short retention: Data passed through an automation is deleted or anonymised once it has reached its destination. A workflow does not need to remember what it processed last year.

Clear ownership: Every automation has an owner who knows what data it handles. When that person moves on, ownership is transferred — not left dangling under an old account.

Documented basis: GDPR requires a legal basis for processing. An automation does not create a new basis — it executes the same basis the underlying process already has. If that basis is unclear, clarify it before building the automation.

A special case: AI components in the workflow

If a workflow uses AI for text processing or classification, an additional question arises: is personal data being sent to an AI service?

Most commercial AI APIs do not use requests for product training without a separate agreement — but it is worth verifying per provider. If personal data is being sent, that needs to be documented as part of your records of processing activities.

The simplest way to avoid the issue: anonymise or pseudonymise data before the AI call. If the AI's job is to classify emails, it does not need the sender's name — only the message body.

Where to start

If you already have automations running and have not reviewed their privacy posture: start by listing what data each workflow handles. That alone will clarify where the risks are.

If you are building a new automation, it is far easier to incorporate a privacy perspective from the start than to retrofit it later.

Get in touch — I can review the privacy practices of your existing automations and identify what, if anything, needs to change.