A Data Protection Officer (DPO) is the independent expert who oversees anorganisation's GDPR compliance — advising on data practices, running DPIAs, andacting as the contact point for data subjects and regulators. Under GDPR Article 37, aDPO is mandatory only when an organisation is a public authority, conducts large-scale systematic monitoring, or processes special category or criminal data at scale.The DPO can be internal or outsourced but must report to top management; a CTO ormarketing head can't double up without a conflict of interest. Non-appointment risksfines up to €10 million or 2% of global turnover. CCPA and CPRA don't require one.‍

‍