The GDPR data protection officer’s role is basically that of a compliance-focused data coordinator, ensuring that the organization’s processing of personal information is not going to infringe on the rights and freedoms of the data subjects.
There is definitely a lot of confusion over this new position. First of all, who is required to have one? All EU public bodies and authorities must have one along with any company processing data involving medical matters or criminal offences, but beyond that things become less clear.
Private companies are only required to appoint a Data Protection Officer if they engage in “core activities” that require “large scale” and “systematic” monitoring of data subjects. The size of an organization doesn’t matter as much as the volume of personal data it is handling.