You don't need a DPO. I work with healthcare businesses and some of them don't even need a DPO.
You only need a DPO if you are a public authority, if you do large scale processing or large scale processing of sensitive data (ambiguous in the GDPR).
If you collect some data, all you need is a privacy policy outlining such, stating what you collect in general and that your legal basis for doing so is to provide the user a service and to monitor for app crashes / bugs - both within your legitimate interests.
Many people have interpreted GDPR to be stricter than it is. In fact, those who have to do the most work are those that cause incredible damage to individuals when they lose data - especially those that have had recent, massive data breaches e.g Equifax.
It's not defined. It was left intentionally ambiguous in the GDPR so member states have some flexibility in definition.
I've got a call with a lawyer on Monday to clarify some bits of the GDPR. Number one Q for me is "how far can you take legitimate interests?".
Some lawyers are advising that marketing data and usage falls under legitimate interest, in a way that these higes drives for consent seem unnecessary.
If anyone else has any questions, I can ask and feedback. I'm sure I'll have those questions too.
Possibly but they are not "sensitive data" (aka "special categories of personal data"). Article 9 of the GDPR outlines what these special categories are:
"personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, [...] genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation"
Oddly, GDPR gives 3 reasons why you would need a DPO:
1. you're a public authority (NHS practices are an example)
2. Large scale processing
3. Large scale processing of sensitive data
They don't specify what large scale means. They also haven't specified how sensitive data qualifies the third statement. One can assume the threshold is lower but the GDPR doesn't specify any thresholds with regards to this.
It really should be defined by company size or revenue. If I my site goes viral and a small web app suddenly has 2M lines of logs, but my revenue is small/non-existent, then there's no reason to comply. If that pushes my revenue over 1M euros a year, you now get pushed into a zone where you should be compliant, and you have enough revenue to afford it as well.
Another comment in this thread indicated that "large scale" was any business in which 5 employees or more had access to the data in the course of normal business operations.
Not exactly an ironclad source, but better than nothing, hopefully.
You only need a DPO if you are a public authority, if you do large scale processing or large scale processing of sensitive data (ambiguous in the GDPR).
If you collect some data, all you need is a privacy policy outlining such, stating what you collect in general and that your legal basis for doing so is to provide the user a service and to monitor for app crashes / bugs - both within your legitimate interests.
Many people have interpreted GDPR to be stricter than it is. In fact, those who have to do the most work are those that cause incredible damage to individuals when they lose data - especially those that have had recent, massive data breaches e.g Equifax.