Article 37 of the GDPR says:
The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
For many commercial companies the key question becomes whether or not a company’s core activities require regular and systematic monitoring of data subjects on a large scale (such as by tracking and profiling users with marketing cookies), or a company’s core activities consist in large scale processing of special category data (such as health care data). Either of these circumstances could easily push a company into the DPO requirement.
Even if a company is not strictly required to have a DPO any company that has any presence in the EU should consider a DPO. Under the GDPR, in the case of a data breach, time lines are very short, much shorter than traditional time lines. Consequently, companies need to be well prepared before a breach to take action. Once a breach happens, companies will need to know which authorities to talk to in each of the EU countries. Likewise, each of the EU authorities will need to know who to talk to in your company. These relationships should be clearly established ahead of time. The DPO will be the public connection and crisis manager for the company, and will need to act quickly.