Controller and the processor must appoint a DPO where:
Processing is performed by a public entity.
Core activity requiring regular and systematic monitoring of data subjects on a large scale.
Core activity consists in processing of special categories/sensitives personal data on a large scale.
DPO might be internal or external.
Knowledge of data protection law and practice.
DPO put in the center of information.
DPO refers to top management.
Inform and advise on compliance with GDPR, Union, national data laws.
Monitor compliance with law and internal policies of the organization.
Advise and monitor data protection impact assessments DPIA.
Cooperate and act as point of contact with the supervisory authority.
Designate a DPO.
Assess whether you are required to designate a Data Protection Officer.
What would be the best option? External or internal? Employee or mission?
Does the role sit within your organisation’s structure and governance arrangements?
Make sure DPO has relevant skills.
Review privacy notices, consent procedures and subjects’ rights effectiveness.
Monitor controllers and processors being compliant.
Depth knowledge of organization’s data architecture.
Be liked or at least respected by key employees being involved in implementing GDPR.