The simple answer to this question is that not all companies need to appoint a Data Protection Officer (DPO) under the General Data Protection Regulation (GDPR). It is expected that larger companies (those that employ more than 250 people), and process personal data on a large scale, will appoint a DPO.
However, small businesses may also need to appoint a DPO, if they process large amounts of personal data, if they participate in large scale systematic monitoring of people or if they process large amounts of special category personal data. All public authorities also need to appoint a DPO.
You can see that this means there will likely be a large demand for DPOs following the introduction of the GDPR. But, it is important to note that the GDPR does not actually stipulate that a DPO must be qualified. It only stipulates that the appointed person must have an in depth knowledge of GDPR, and how it applies to the company. They must also be able to devise and manage an effective data protection system.
What this means for a company is that they may be able to appoint a DPO internally, as long as they can prove that the individual has sufficient knowledge. The individual must also not be undertaking any other role within the company that could lead to a conflict of interests. DPOs must always be able to act freely, and independently of any influences.
Companies can also choose a third party as a DPO. If they decide to do this they need to bear in mind that the third party also needs to comply with GDPR. This requirement must be included in any contract that is drawn up, between the company and the third party.
Even if a company is not required to have a DPO, under the new regulation, they may still think that it is a good idea to have one in place. This is because having a DPO in position means that someone within the company has the expertise to be able to ensure that the company’s data processing meets with GDPR stipulations; thereby helping the company to avoid sanctions for non-compliance.