As a small, bootstrapped one person startup, the part of GDPR that seems impossible for me to comply with (I am not lawyer nor am I European, so maybe I am wrong, but everything I have read about it indicates I am right) is the appointment of a Data Protection Officer. I do the duties of the DPO myself, but from what I have read, this is not in compliance with GDPR, which requires the DPO to be "independent". See https://edps.europa.eu/data-protection/data-protection/refer...
You don’t need an EU DPO, just an EU representative, according to my reading of it. (At least not under a certain size, which is what I was looking at.) They’re basically a glorified post office box. I used DataRep, which was very reasonably priced.
Read the text of the GDPR directly. It’s surprisingly readable, and there’s several well-organized hypertext versions online.
It’s been several years since I read the GDPR, but my recollection is that companies smaller than 150 people, who don’t process “sensitive” data (sexual orientation, etc.) have lighter requirements. Again, read the GDPR itself for details.
Every single official guidance on GDPR that I have seen, such as https://ico.org.uk/for-organisations/guide-to-dp/guide-to-th..., states that I would have conflict of interest serving as DPO because "Basically this means the DPO cannot hold a position within your organization that leads him or her to determine the purposes and the means of the processing of personal data."
The same document specifically points out that as I head marketing, I cannot also the the DPO.
It is saying that I MAY not have to appoint a DPO, depending on various criteria... but then when you go to look at what that criteria is, it merely tells you:
---
What does ‘regular and systematic monitoring of data subjects on a large scale’ mean?
There are two key elements to this condition requiring you to appoint a DPO. Although the UK GDPR does not define ‘regular and systematic monitoring’ or ‘large scale’, the Article 29 Working Party (WP29) provided some guidance on these terms in its guidelines on DPOs. WP29 has been replaced by the European Data Protection Board (EDPB) which has endorsed these guidelines. Although these guidelines relate to the EU version of the GDPR, they are also a useful resource for understanding the requirements of the UK GDPR.
‘Regular and systematic’ monitoring of data subjects includes all forms of tracking and profiling, both online and offline. An example of this is for the purposes of behavioural advertising.
When determining if processing is on a large scale, the guidelines say you should take the following factors into consideration:
the numbers of data subjects concerned;
the volume of personal data being processed;
the range of different data items being processed;
the geographical extent of the activity; and
the duration or permanence of the processing activity.
---
So neither does this page, nor the law (according to this page itself) or any other guidance I have found, define what "a large scale" means. It gives some really squishy criteria, and then leaves it up to the DPA to fine whoever they want to, because they refuse to define anything in concrete terms. No one except commenters on Hacker News can possibly know whether or not they are in compliance.
The first question it addresses is "Do we need to appoint a Data Protection Officer?", for which the answer can be "no", depending on your activities and type of organisation.
Roughly, it's a no if you are not a government body and your PII handling is secondary (such as for HR in your startup) rather than a core activity at large scale (such as running a HR service or user-tracking service).
As a startup it is plausible that you are a "yes" if you handle PII as a core activity, for example if you are taking user's PII such as their names, addresses, locations, etc. But even than, you may not be doing so at large enough scale to require a DPO. If you are, though, it's time to hire one, and you're probably at a scale where you can afford to.
Broadly, you could think of a DPO as more like an auditor or independent overseer in a particular area, whose job is to check you are complying. Just like an auditor or security professional, you can hire an external one in to ensure your business is complying and show that you've done so. Larger companies doing large and more intrusive activities need it, the same way as those are the companies which need other forms of auditing and independent oversight.
It's a different function from the DPC (data protection controller), who is in charge of actually processing the PII you hold. See "What are 'controllers' and 'processors'?":
At a one person startup the DPC is almost certainly you, as you make the decisions on how to process PII, even if you delegate the actual processing sometimes. You have responsibilities as a DPC, but you can do it, and it'll just be one more, among the many duties you have as a director of a one person company. Imho, being a DPC isn't any more onerous than the other duties of a director.
The very document you link to does not say exactly when you have to hire a DPO or not, but it and other documents I have read seem to indicate that if my business is collecting personally information order to provide my service, I need a DPO. There is some question as to scale, but no where is that defined in anything approaching concrete terms. If I have 5 customers and all 5 of them have given me their name, email, and a brief biography that I store for the purposes of providing a my service- at least one guidance document from the the EU states that scale is relative to the size for the business, so I would need a DPO in this case. What about 50, or 500, or 5000? Any number I would pick is arbitrary. What if I collect birthdates or other information that is essentail to my service?
Its easy to say "I'm small and don't need a DPO"... but the law is nothing close to clear on this issue.
And the guidance clearly states that I cannot be the DPO while also holding all the other positions in the company.
"Basically this means the DPO cannot hold a position within your organization that leads him or her to determine the purposes and the means of the processing of personal data."
