This is incorrect - if you have more than 10 employees that handle data, and that basically means everyone sitting behind a computer, your company has to designate someone as data privacy officer who has to make sure that things get handled according to GDPR.
These rules arent strictly enforced yet, but when you run into issues and it can be shown that you didn´t take steps to implement it, it has consequences.
These rules arent strictly enforced yet, but when you run into issues and it can be shown that you didn´t take steps to implement it, it has consequences.