Jerry Bell is a user on infosec.exchange. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

@jerry Thank you for giving your perspective—it's nice to see a list of specific complaints rather than the uninformed whining I've seen in a lot of places. One thing that bugs me is that foreign organizations are required to appoint a representative in the EU (Article 27), with no exemption for small businesses.

@stringlytyped good point. I have heard that many small businesses are buying consultants to act as the DPO (basically a fractional DPO)

@jerry @stringlytyped DPOaaS.

I'm going to be honest. Article 27 was something I hadn't really thought much about being distracted with the the rest (including Article 37 regarding establishment of a DPO).

I had some how previously come to the conclusion that my org as a processor doesn't need a DPO. I suppose it comes down for both (at least for me) to large scale monitoring (91). I don't think many small business will fit this bill.

@SandPaper @stringlytyped my understanding is that you, as a processor, so need a DPO.

@jerry I am not exactly skilled at reading legalese, but I think @SandPaper may be right. I was having a hard time understanding 27(2)(a) (so many commas!) but upon reading it again, it does look like you only need to appoint an EU rep if you:

1) perform frequent processing of data (idk what qualifies as frequent vs. occasional),
2) process a special category of data "on a large scale", or
3) risk the rights of EU persons

And the same applies (more or less) to the DPO requirement in 37(1).

@jerry @SandPaper If this interpretation is correct, that would mean that everyone that has been claiming that the GDPR doesn't contain small business exemptions for appointing a DPO is wrong.

@stringlytyped @SandPaper I suspect I am wrong on this — I’ve not focused on this area of the GDPR

@jerry

The complexity of European laws in the member states are definitely there. But that's not specific to #GDPR.

However the law is pretty simple and clear (if wordy), and there are several issues in your interpretation.

The funniest one is that of your blog, hosted in Texas.

Article 3, comma 2 explain why the hosting provider (and possibly the host owner) is subject to GDPR: eur-lex.europa.eu/legal-conten

I suggest you to tell your reader that you are not a competent European lawyer. #Infosec

@Shamar I had the same misunderstanding you do before a European data privacy lawyer corrected me.

@jerry

Can you share the correction?

> This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union.

An HTTP server.. serve