The good news is that you almost certainly do not. There is no requirement for a Data Protection Officer (DPO) just for email marketing lists and various HR functions unless you are a public authority, track online behaviour or process special categories. If in doubt go to: 

So that’s it, you might think; no wasted expense on a DPO for you. However, before you spend the money you’ve saved, just see what a DPO does. It is a position created by the, now live, GDPR. The specified functions are detailed in Article 39 as:
    
•    to inform and advise you and your employees about your obligations to comply with the GDPR and other data protection laws;
•    to monitor compliance with the GDPR and other data protection laws, and with your data protection policies, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits;
•    to advise on and monitor data protection impact assessments;
•    to cooperate with the supervisory authority; and
•    to be the first point of contact for supervisory authorities and for individuals whose data is processed.

A DPO’s responsibilities include:

•    When carrying out their tasks the DPO is required to take into account the risk associated with the processing the company is undertaking. They must have regard to the nature, scope, context and purposes of the processing.
•    The DPO should prioritise and focus on the more risky activities, for example where the potential impact on individuals could be damaging. Therefore, DPOs should provide risk-based advice to your organisation.
•    If the DPO’s advice is not followed, the reasons should be documented. 

It is looking a little different now. These are functions that would be very useful to a company working out their obligations with regards the GDPR. It differs from that of a compliance lawyers to a considerable degree.

It seems that for small companies a DPO would be something of an expensive luxury, but for medium-sized and large ones they could be a cost-effective way of ensuring compliance.

A DPO can be an existing employee and can be required to perform other roles, as long as these do not lead to a conflict of interest.

You must ensure that:

•    the DPO is involved, closely and in a timely manner, in all data protection matters;
•    the DPO reports to the highest management level of your organisation;
•    the DPO operates independently and is not dismissed or penalised for performing their tasks;
•    they have adequate resources to enable them to meet their obligations;
•    they have appropriate access to personal data and processing activities;
•    you give the DPO appropriate access to other necessary services within your organisation;
•    their advice is sought when carrying out a DPIA; and
•    the DPO’s details are part of your records of processing activities.

You might feel that a DPO is essential in the short post-implementation period of the GDPR. Remember, though, that even if a DPO is not a legal requirement, they and you would have to comply with all the regulations should you appoint one. 

You can read more on the ICO website – just click here.