The Regulation 2016/679 (GDPR) introduces a new role: the Data Protection Officer (DPO). Mandatory for some categories of Controllers and Processors and optional for the remaining ones (see article 37), the DPO plays a peculiar role within the controller’s organization.
The GDPR defines the main DPO tasks (article 39 for details): inform and advice …, monitor compliance …, “provide advice …, cooperate with the supervisory authority …, act as the contact point for the supervisory authority … .
Clearly, no operational tasks are assigned to the DPO by the GDPR, even if other tasks can be assigned to the person acting as DPO if they do not result in a conflict of interests.
So, is the DPO responsible for the compliance of the organization? I would answer no. Furthermore, I would say that he cannot be the person responsible for ensuring the compliance to the GDPR otherwise he/she should monitor him/herself.
Having said that, another question arises immediately: given that the GPDR explicitly states that the DPO function can be supplied by an external service provider, which is the best choice between appointing an employee or buying a service from a specialized supplier?
The answer, of course, depends on many factors: the size of the organization, the existence of such a competence inside, the kinds of personal data and processing and so on. Some of such factors depend on the service as well: industry specific competence really seems a key factor for a service to be useful, particularly for those industries with less privacy mindsetting and experience.