The first question it addresses is "Do we need to appoint a Data Protection Officer?", for which the answer can be "no", depending on your activities and type of organisation.
Roughly, it's a no if you are not a government body and your PII handling is secondary (such as for HR in your startup) rather than a core activity at large scale (such as running a HR service or user-tracking service).
As a startup it is plausible that you are a "yes" if you handle PII as a core activity, for example if you are taking user's PII such as their names, addresses, locations, etc. But even than, you may not be doing so at large enough scale to require a DPO. If you are, though, it's time to hire one, and you're probably at a scale where you can afford to.
Broadly, you could think of a DPO as more like an auditor or independent overseer in a particular area, whose job is to check you are complying. Just like an auditor or security professional, you can hire an external one in to ensure your business is complying and show that you've done so. Larger companies doing large and more intrusive activities need it, the same way as those are the companies which need other forms of auditing and independent oversight.
It's a different function from the DPC (data protection controller), who is in charge of actually processing the PII you hold. See "What are 'controllers' and 'processors'?":
At a one person startup the DPC is almost certainly you, as you make the decisions on how to process PII, even if you delegate the actual processing sometimes. You have responsibilities as a DPC, but you can do it, and it'll just be one more, among the many duties you have as a director of a one person company. Imho, being a DPC isn't any more onerous than the other duties of a director.
The very document you link to does not say exactly when you have to hire a DPO or not, but it and other documents I have read seem to indicate that if my business is collecting personally information order to provide my service, I need a DPO. There is some question as to scale, but no where is that defined in anything approaching concrete terms. If I have 5 customers and all 5 of them have given me their name, email, and a brief biography that I store for the purposes of providing a my service- at least one guidance document from the the EU states that scale is relative to the size for the business, so I would need a DPO in this case. What about 50, or 500, or 5000? Any number I would pick is arbitrary. What if I collect birthdates or other information that is essentail to my service?
Its easy to say "I'm small and don't need a DPO"... but the law is nothing close to clear on this issue.
And the guidance clearly states that I cannot be the DPO while also holding all the other positions in the company.
"Basically this means the DPO cannot hold a position within your organization that leads him or her to determine the purposes and the means of the processing of personal data."
The UK ICO describes when a company does and doesn't need a DPO, at least with the UK implementation of the GDPR:
https://ico.org.uk/for-organisations/guide-to-data-protectio...
The first question it addresses is "Do we need to appoint a Data Protection Officer?", for which the answer can be "no", depending on your activities and type of organisation.
Roughly, it's a no if you are not a government body and your PII handling is secondary (such as for HR in your startup) rather than a core activity at large scale (such as running a HR service or user-tracking service).
As a startup it is plausible that you are a "yes" if you handle PII as a core activity, for example if you are taking user's PII such as their names, addresses, locations, etc. But even than, you may not be doing so at large enough scale to require a DPO. If you are, though, it's time to hire one, and you're probably at a scale where you can afford to.
Broadly, you could think of a DPO as more like an auditor or independent overseer in a particular area, whose job is to check you are complying. Just like an auditor or security professional, you can hire an external one in to ensure your business is complying and show that you've done so. Larger companies doing large and more intrusive activities need it, the same way as those are the companies which need other forms of auditing and independent oversight.
It's a different function from the DPC (data protection controller), who is in charge of actually processing the PII you hold. See "What are 'controllers' and 'processors'?":
https://ico.org.uk/for-organisations/guide-to-data-protectio...
At a one person startup the DPC is almost certainly you, as you make the decisions on how to process PII, even if you delegate the actual processing sometimes. You have responsibilities as a DPC, but you can do it, and it'll just be one more, among the many duties you have as a director of a one person company. Imho, being a DPC isn't any more onerous than the other duties of a director.