zlacker

> The GDPR will require me to hire people and my entity is too small to be able to afford this

Q: Does my business need to appoint a Data Protection Officer (DPO)?

A: DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.

source: https://www.eugdpr.org/gdpr-faqs.html

>>nabla9+(OP)
There is a legitimate question here, where does "large scale" begin? There are a lot of similar questions that nobody can personally guarantee they know the answers for.

>>nabla9+(OP)
GDPR requires those organisations to appoint a DPO, not to hire anyone new. It's like when you designate Ben to answer the phone after 5PM, Lisa to water the plants and the last guy to leave the office to turn off the light and close the windows (and for many companies there will be a lot less work involved with being a DPO, than with switching off the lights).

>>flexie+J
Exactly. Most businesses will already be required to have several "responsible person" roles for e.g. health and safety and fire evacuations. It's just that in a 1-person business they're all the same person.

>>zerost+9
In the GDPR draft it was "250 employees or with 5000 records." but 5000 records was dropped.

Now it says:

http://data.consilium.europa.eu/doc/document/ST-5419-2016-IN...

>The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

Basically small firm that is just holding minimum amount of customer/user information and data and where the business model is not centered around profiling and processing user data.

>>pjc50+91
Most small companies (below 10 employees) will refrain from appointing a DPO claiming that they don't do large scale systematic monitoring (not clearly defined).

The issue however is that for a DPO you need to avoid conflict of interest, as the DPO should be as independent as possible, even though the DPO could be an employee of the company.

Shareholders, C-level execs, employees that establish means and purposes of processing or handle the actual processing cannot be reasonably expected to place the interests of the data subject(s) above those of the company.

See article 38 for reference.

>>nabla9+y2
The piece of text you're quoting is referring to obligations of keeping "Records of processing activities", and is not the definition of large scale, which is undefined in the GDPR.

>>cbg0+R2
GDPR is referring to the EU recommendation Article 2 of the Annex to Commission Recommendation 2003/ 361/EC. That's where the number 250 originates from.

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2...

>Staff headcount and financial ceilings determining enterprise categories

> 1. The category of micro, small and medium-sized enterprises (SMEs) is made up of enterprises which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million.