A fair quantity of data processing, though digitally performed, is outside of the GDPR’s reach.
I do not have figures comparing database-based processing to instantaneous, non-filing-system-handled data manning, nevertheless it is fair to say that the latter are a relevant part of the digital ecosystem (think of the instant messaging sector, where end-to-end communication is not necessarily meant to be stored.) As such, these kind of processing are not covered by the GDPR.
GDPR Whereas 25 recital, indeed, clearly says:
In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technolo ? gically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system (emphasis added.) Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.
This difference should be always taken into account when designing both corporate policies and business processes, especially in the marketing/advertising sectors.