A Data Protection Officer must be appointed in an organisation under certain circumstances:
A public authority, except judicial courts
Organisations performing monitoring of individuals on a large scale
Organisations that process large volumes of special categories of data, such as health or criminal records.
A Data Protection Officer can act for a company or a group of companies, but it is important that he has the skills to perform as a DPO.
Obligations of a DPO
Inform the organisation and its employees of their obligations to comply with the GDPR and other Data Protection laws
Monitor compliance, including with the GDPR, including managing data protection activities, impact assessments, training, and internal audits.
And to be the first point of contact for external authorities as well as individual's who's data is being processed and should be protected by the organisation.
Reporting structure for the DPO
The DPO should report directly to the highest authority in the organisation (ie: The Board)
The DPO should operate independently and cannot be dismissed or penalised for doing their job
They should have adequate resources to be able to perform his duties to meet the GDPR obligations.
A Data Protection officer does not need to have a specific qualification, the GDPR does not specify it, but they need to have good knowledge of the data protection law, which is essential for them to be able to fulfil their obligations under the GDPR.
GDPR is coming into force on 25th May 2018
< 10. Data Protection by Design 12. International >