Within the regulation it requires that each institution or body must appoint at least one person as a DPO to enforce the regulations internally.
This means that any organisation meeting the requirements of performing,
‘regular and systematic monitoring of data subjects on a large scale or processing sensitive personal data on a large scale’
will need to have a person or persons to fulfil this role. The above statements cover either internal staff or external customers/vendors, and recruiting for a DPO position is applicable to almost every medium to large enterprise.
The GDPR places accountability obligations on data controllers to demonstrate compliance.
This includes requiring them to:
(A) maintain certain documentation,
(B) conduct a data protection impact assessment for riskier processing (DPAs should compile lists of what is caught)
(C) implement data protection by design and by default.
This places all of the pressure on organisations to ensure that all future processes are designed with the above in mind. But what about existing processes? What of all the current data stores that an organisation has? These will all have to be evaluated and the new regulations applied to their functions and processes.