<P> Records of processing activities must be maintained that include purposes of the processing, categories involved and envisaged time limits . The records must be made available to the supervisory authority on request (Article 30). </P> <P> If the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity or if, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects, or processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this regulation . </P> <P> The DPO is similar to a compliance officer and is also expected to be proficient at managing IT processes, data security (including dealing with cyberattacks) and other critical business continuity issues around the holding and processing of personal and sensitive data . The skill set required stretches beyond understanding legal compliance with data protection laws and regulations . More details on the function and the role of data protection officer were given on 13 December 2016 (revised 5 April 2017) in a guideline document . </P> <P> Under Article 27, organisations based outside the EU must also appoint an EU - based person as a representative and point of contact for their GDPR obligations . This is a separate and distinct requirement from a DPO, although there is overlap in responsibilities that suggest that this role can also be held by the designated DPO . Article 27 does not apply if the business is only involved in "occasional" processing of personal data, is not performing large - scale processing of data relating to criminal convictions or special categories, and the processing is "unlikely to result in a risk to the rights and freedoms of natural persons". </P>

European union general data protection regulation key principles