To achieve GDPR compliance it may be required to appoint a person to oversee all data-protection related procedures. A Data Protection Officer:
Is knowledgeable about all aspects of GDPR
Does not receive instructions regarding the performance of their duties
Does not report to a direct superior (other than top management)
Has full access to all necessary resources within the organization needed to complete their tasks
Has the authority to investigate personal-data-related operations
A Data Protection Officer MUST be appointed in the case of:
public authorities, or
entities that engage in large scale systematic monitoring, or
entities that engage in large scale processing of sensitive personal data.
If you don’t fall into one of these categories, then you do not need to appoint a Data Protection Officer but it is important to define one person in your organization who will cover the requirements that make a DPO needed.