To achieve GDPR compliance it may be required to appoint a person to oversee all data-protection related procedures. A Data Protection Officer:
- Is knowledgeable about all aspects of GDPR
- Does not receive instructions regarding the performance of their duties
- Does not report to a direct superior (other than top management)
- Has full access to all necessary resources within the organization needed to complete their tasks
- Has the authority to investigate personal-data-related operations
A Data Protection Officer MUST be appointed in the case of:
- public authorities, or
- entities that engage in large scale systematic monitoring, or
- entities that engage in large scale processing of sensitive personal data.
If you don’t fall into one of these categories, then you do not need to appoint a Data Protection Officer but it is important to define one person in your organization who will cover the requirements that make a DPO needed.