One of the things we have been working on in Security and Law, is how to do an impact assessment. And in GDPR, some companies that handle sensitive information or large scale information has to perform a Data Protection Impact Assessment (DPIA). This is somewhat different from a regulatory assessment, since with a DPIA you assess the risks connected with storing sensitive data.

One of the objectives is to evaluate it, and see how you can bring down the risk level. Either by cutting out the data, or implementing measures to ensure the risk is acceptable.

The Article 29 Working Party has guidance on how to perform such an assessment, and it can be read here: http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083