[ensignavenger]

As a small, bootstrapped one person startup, the part of GDPR that seems impossible for me to comply with (I am not lawyer nor am I European, so maybe I am wrong, but everything I have read about it indicates I am right) is the appointment of a Data Protection Officer. I do the duties of the DPO myself, but from what I have read, this is not in compliance with GDPR, which requires the DPO to be "independent". See https://edps.europa.eu/data-protection/data-protection/refer...

[jdlshore]

You don’t need an EU DPO, just an EU representative, according to my reading of it. (At least not under a certain size, which is what I was looking at.) They’re basically a glorified post office box. I used DataRep, which was very reasonably priced.

[ensignavenger]

And what size is that? Do you have a source?

[jdlshore]

Read the text of the GDPR directly. It’s surprisingly readable, and there’s several well-organized hypertext versions online.

It’s been several years since I read the GDPR, but my recollection is that companies smaller than 150 people, who don’t process “sensitive” data (sexual orientation, etc.) have lighter requirements. Again, read the GDPR itself for details.

[rrwo]

No, that's not true at all.

[CleverLikeAnOx]

Could you elaborate?

[rrwo]

You don't need to hire a separate person as DOO. It's recommended but not mandatory.

[ensignavenger]

Every single official guidance on GDPR that I have seen, such as https://ico.org.uk/for-organisations/guide-to-dp/guide-to-th..., states that I would have conflict of interest serving as DPO because "Basically this means the DPO cannot hold a position within your organization that leads him or her to determine the purposes and the means of the processing of personal data."

The same document specifically points out that as I head marketing, I cannot also the the DPO.

[rrwo]

It is recommended, not mandatory. You are a single person company.

Do you think every family run corner shop or plumber or painter in the EU has hired a DPO? No.

[ensignavenger]

I have seen nothing that says it is recommended and not mandatory- do you have a source?

[jlokier]

That link is about the DPO at EU institutions and bodies. It doesn't apply to your one person startup unless you meet the criteria for needing a DPO.

The UK ICO describes when a company does and doesn't need a DPO, at least with the UK implementation of the GDPR:

https://ico.org.uk/for-organisations/guide-to-data-protectio...

The first question it addresses is "Do we need to appoint a Data Protection Officer?", for which the answer can be "no", depending on your activities and type of organisation.

Roughly, it's a no if you are not a government body and your PII handling is secondary (such as for HR in your startup) rather than a core activity at large scale (such as running a HR service or user-tracking service).

As a startup it is plausible that you are a "yes" if you handle PII as a core activity, for example if you are taking user's PII such as their names, addresses, locations, etc. But even than, you may not be doing so at large enough scale to require a DPO. If you are, though, it's time to hire one, and you're probably at a scale where you can afford to.

Broadly, you could think of a DPO as more like an auditor or independent overseer in a particular area, whose job is to check you are complying. Just like an auditor or security professional, you can hire an external one in to ensure your business is complying and show that you've done so. Larger companies doing large and more intrusive activities need it, the same way as those are the companies which need other forms of auditing and independent oversight.

It's a different function from the DPC (data protection controller), who is in charge of actually processing the PII you hold. See "What are 'controllers' and 'processors'?":

https://ico.org.uk/for-organisations/guide-to-data-protectio...

At a one person startup the DPC is almost certainly you, as you make the decisions on how to process PII, even if you delegate the actual processing sometimes. You have responsibilities as a DPC, but you can do it, and it'll just be one more, among the many duties you have as a director of a one person company. Imho, being a DPC isn't any more onerous than the other duties of a director.

[ensignavenger]

The very document you link to does not say exactly when you have to hire a DPO or not, but it and other documents I have read seem to indicate that if my business is collecting personally information order to provide my service, I need a DPO. There is some question as to scale, but no where is that defined in anything approaching concrete terms. If I have 5 customers and all 5 of them have given me their name, email, and a brief biography that I store for the purposes of providing a my service- at least one guidance document from the the EU states that scale is relative to the size for the business, so I would need a DPO in this case. What about 50, or 500, or 5000? Any number I would pick is arbitrary. What if I collect birthdates or other information that is essentail to my service?

Its easy to say "I'm small and don't need a DPO"... but the law is nothing close to clear on this issue.

And the guidance clearly states that I cannot be the DPO while also holding all the other positions in the company.

"Basically this means the DPO cannot hold a position within your organization that leads him or her to determine the purposes and the means of the processing of personal data."