Hacker News new | past | comments | ask | show | jobs | submit login

Every single official guidance on GDPR that I have seen, such as https://ico.org.uk/for-organisations/guide-to-dp/guide-to-th..., states that I would have conflict of interest serving as DPO because "Basically this means the DPO cannot hold a position within your organization that leads him or her to determine the purposes and the means of the processing of personal data."

The same document specifically points out that as I head marketing, I cannot also the the DPO.




It is recommended, not mandatory. You are a single person company.

Do you think every family run corner shop or plumber or painter in the EU has hired a DPO? No.


I have seen nothing that says it is recommended and not mandatory- do you have a source?


Your own link did, but now the page returns a 404 error.

However, see https://ico.org.uk/for-organisations/guide-to-data-protectio...

> Under the UK GDPR, you must appoint a DPO if:

> - you are a public authority or body (except for courts acting in their judicial capacity);

> - your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or

> - your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.


It is saying that I MAY not have to appoint a DPO, depending on various criteria... but then when you go to look at what that criteria is, it merely tells you:

--- What does ‘regular and systematic monitoring of data subjects on a large scale’ mean?

There are two key elements to this condition requiring you to appoint a DPO. Although the UK GDPR does not define ‘regular and systematic monitoring’ or ‘large scale’, the Article 29 Working Party (WP29) provided some guidance on these terms in its guidelines on DPOs. WP29 has been replaced by the European Data Protection Board (EDPB) which has endorsed these guidelines. Although these guidelines relate to the EU version of the GDPR, they are also a useful resource for understanding the requirements of the UK GDPR.

‘Regular and systematic’ monitoring of data subjects includes all forms of tracking and profiling, both online and offline. An example of this is for the purposes of behavioural advertising.

When determining if processing is on a large scale, the guidelines say you should take the following factors into consideration:

    the numbers of data subjects concerned;
    the volume of personal data being processed;
    the range of different data items being processed;
    the geographical extent of the activity; and
    the duration or permanence of the processing activity.
---

So neither does this page, nor the law (according to this page itself) or any other guidance I have found, define what "a large scale" means. It gives some really squishy criteria, and then leaves it up to the DPA to fine whoever they want to, because they refuse to define anything in concrete terms. No one except commenters on Hacker News can possibly know whether or not they are in compliance.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: