GDPR provides for the function of a data protection officer, who should be appointed by the controller in certain situations. I explain when it is mandatory and who and how to appoint to this position, as well as what are his tasks.
Controller may not process personal data at his discretion. For this to be possible, there must be a legal basis. Determining this is one of the first steps an entrepreneur should take when dealing with personal data.