[drdeca]

Depends on what "have a dedicated officer" entails?

If it requires employing someone you wouldn't be otherwise, then, yes, I do think it is unreasonable to require that I hire someone if I am letting people give me an email address for the purpose of sending them an email in the event that <x> (assuming that I am verifying at the time they give me the email address that they have control of the email address in question), no matter how many people request to be added to the list of people to send an email in the event that <x> .

[uuidgen]

It means designating a person that understands GDPR in the scope it applies to the particular data set and handles requests/security incidents. It can be secretary after a few hours of training.

And I think that if you manage a mailing list of million of people then having someone who understand security implications of it and how much they can lose (even to a simple phishing at this scale) if you get that list accessed by scammers is necessary.

[drdeca]

Secretary? I’m not really talking about an organization, I’m talking about an individual.

A few hours of training is reasonable enough, I suppose?

Seems like it might be simpler to just have whoever is responsible be liable for any problems that could arise from not keeping the list secure? I guess maybe an issue issue with that is that it would be hard to track down all the harms that actually occurred as a result of letting the list fall into the wrong hands, and also hard to even get a good estimate.