zlacker

>>grabeh+(OP)
> The GDPR will require me to hire people and my entity is too small to be able to afford this

Q: Does my business need to appoint a Data Protection Officer (DPO)?

A: DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.

source: https://www.eugdpr.org/gdpr-faqs.html

>>nabla9+8c
GDPR requires those organisations to appoint a DPO, not to hire anyone new. It's like when you designate Ben to answer the phone after 5PM, Lisa to water the plants and the last guy to leave the office to turn off the light and close the windows (and for many companies there will be a lot less work involved with being a DPO, than with switching off the lights).

>>flexie+Rc
Exactly. Most businesses will already be required to have several "responsible person" roles for e.g. health and safety and fire evacuations. It's just that in a 1-person business they're all the same person.

>>pjc50+hd
Most small companies (below 10 employees) will refrain from appointing a DPO claiming that they don't do large scale systematic monitoring (not clearly defined).

The issue however is that for a DPO you need to avoid conflict of interest, as the DPO should be as independent as possible, even though the DPO could be an employee of the company.

Shareholders, C-level execs, employees that establish means and purposes of processing or handle the actual processing cannot be reasonably expected to place the interests of the data subject(s) above those of the company.

See article 38 for reference.