Organisations need a Data Protection Officer (DPO) and his assignment is mandatory in certain specific cases:
- when the processing is carried out by a public authority or body;
- where the core activities of the controller or the processor consist of processing operations which require regular monitoring of data subjects;
- where the core activities consist of processing special categories of data on a large scale or personal data relating to criminal convictions.
Article 37(4) states that Union or Member State law may require the designation of a DPO in other situations as well. The conclusion is, in order to be on the safe side and make sure you are 100% compliant to the GDPR, you should appoint a DPO.