Really? Do you have an EU representative for your MVP? Did you hire a legal team to review your site and write up your terms of service? Send me your MVP and I’ll show you 10 thing a that are wrong with it and if you are complaint somehow then I doubt the product will be viable at all.
So my MVP is an imaginary service that does X for you. It charges $5/month and it uses your email as the log in. It captures no data other than what you give it to do said service. Other than good data practices which should be followed anyway, please described the huge GDPR hurdles that will make this service not viable.
> Basically this means the DPO cannot hold a position within your organisation that leads him or her to determine the purposes and the means of the processing of personal data
Are there exemptions for very small companies?
If you can prove you don't process any user data, at all, does this exempt you from having to appoint a DPO?
> Are there exemptions for very small companies? If you can prove you don't process any user data, at all, does this exempt you from having to appoint a DPO?
From the site:
> Under the GDPR, you must appoint a DPO if:
> * you are a public authority (except for courts acting in their judicial capacity);
> * your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
> * your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
So as far as I can see, yes, for small companies or side projects (i.e. not a public authorities, not working with large scale monitoring of individuals, not dealing with criminal convictions) you don't need a DPO.
There's a lot of confusion around this because GDPR actually specifies two different kinds of representative.
There is the Data Protection Officer (DPO), which comes from Article 37, and a representative in the Union (EU Rep), which comes from Article 27.
The purpose of the DPO is to oversee data protection. Whether or not a company needs one depends on the nature and volume of data they handle. I'd expect most small companies that are selling a product or service would not need one.
The purpose of the EU Rep is to provide a point of contact in the Union for data subjects and regulators to contact the company. It is only required for companies that are not in the Union. If the company only occasionally processes data, does not process data from certain particularly sensitive categories, and the processing is unlikely to result in a risk to rights and freedoms of natural persons, no EU Rep is required.
The DPO requirement seems to generate a lot more discussion than the EU Rep requirement, which I find odd. The EU Rep seems to me a much bigger deal from the point of view of small non-EU companies, because the EU Rep has to be in the Union.
you are a public authority (except for courts acting in their judicial capacity);
your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
"""
So if you're not doing 'large scale behaviour tracking', you would not need one. A simple company that sells a subscription service should not need one, unless they are also selling targeted ads, and maybe if they are doing identifiable tracking of how a given user uses the service. Aggregated metrics with no identifiable data do not count (This feature has been used X times). If you are, then it becomes a question of what is 'large scale' in terms of the GDPR.
I have no idea what that means. If my B2B business has a lot of revenue but few customers, am I 'large scale'? If my B2C business has little revenue but a lot of customers, am I 'large scale'? Or maybe 'large scale' applies to the number of servers I use? I have no idea the criteria.
1. Are you a public authority? (not sure what this is)
2. Do your organisation's core activities involve tracking and monitoring people's behaviour (for example on the internet, or on CCTV) on a large scale?
3. Do your organisation's core activities involve processing on a large scale 'special categories' of personal data, or large scale criminal convictions or offences data?
(By 'special categories' we mean personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning health or data about a person's sex life or sexual orientation, or genetic or biometric data where it woiuld [sic] identify a living person.)
>1. Are you a public authority? (not sure what this is)
In the UK at least this is already a widely-known category of organisation and covers things like national and local government bodies, schools, hospitals, fire authorities, the police etc.
Add invoices which contain personal data in the recipient address and must be stored for 10 years safe from manipulation (and then deleted). Combine that with a deletion request, and now you need to delete some data about a customer and keep the rest, which is pretty annoying (yay referential integrity), especially if you're changing existing software, and don't develop from scratch. Of course for the data you can't delete, you now have to restrict access as much as possible, so for every feature in your software you have to figure out if it should use the censored or full data.
Then you have to figure out how much of the order history (up/downgrades etc.) you need to keep so you can keep track of who changed what in case of disputes, etc.
You need to keep track of payments and invoices for accounting and tax purposes, and of course accounting records must be immutable.
Then write documentation describing all the ways you process data and ensure you have a valid updated data privacy contract with all your service providers.
Really disappointed when I see these kinds of scare tactics. Compliance (or at least a good-faith attempt at compliance) is quite easy for small/new projects. I'm willing to bet that courts aren't out to make an example of every small infringement, and there's really no reason to discourage people from starting new projects.
Exactly. I have been in contact with the regulation authority a few times to make sure we're compliant and in all cases we found that they are super-helpful. And the GDPR is - while being CEO of an ecommerce comppany for 15 years now - the easiest and most well-written ecommerce law I have seen. Everything in it makes sense if you just read the freaking law and the recitals included in the law. Period.
