When an organisation appoints a Data Protection Officer whether on a voluntarily basis or because its processing activities meet the criteria set out in the GDPR (see here, for more details), it should pay attention to the following points at the time of the DPO’s appointment:
The contractual relationship between the DPO and the Controller or Processor
The skills and level of expertise of the DPO
The position of the DPO within the company organisation and the resources to be allocated