necessity and proportionality of the processing; a risk assessment with regard to individual rights; and the safeguards and accountability measures that are envisaged.” 77 Also, Article 28 will require companies to “maintain a record detailing, among other things, the purposes of processing; categories of individuals; potential data recipients within and outside the EU; appropriate safeguards for transfers; and security measures.” 78 The detail and importance of retaining records and PIAs is emphasized because such records must be provided to the Data Protection Authorities upon request to demonstrate compliance with the GDPR and avoid potential sanctions. 79 Therefore, detailed and organized PIAs can help data controllers and processors evade the GDPR’s harsh sanctions. 2. DATA PROTECTION OFFICERS The GDPR will require the appointment of a position known as the data protection officer (DPO) in certain circumstances. The GDPR requires data processors and controllers to appoint a DPO when a company’s “core processing activities require regular and systematic monitoring of individuals on a large scale, or where its core activities consist of the processing of sensitive data on a large scale.” 80 Due to the DPO’s limited application for most companies, it is unlikely that many companies will be required to appoint a mandatory DPO. 81 Nevertheless, data controllers and processors need to evaluate their data practices to determine whether their organization will ultimately require a DPO to ensure compliance with the GDPR. A recent study by the International Association of Privacy Professionals estimates that the GDPR’s requirement for a DPO will require the appointment of approximately 28,000 DPOs over the next two years in Europe alone. 82 If a DPO is required for a data controller or processor, the DPO will have the responsibility of overseeing the controller’s or processor’s compliance with the GDPR based on their data retention policies and record keeping. 83 Understandably, these DPOs will need to have expert knowledge on data protection practices and laws to ensure the company is in compliance with the regulation. 84 A DPO appointed for 73 Id. 74 Id. 75 Id. 76 Id. 77 Van der Wolk and Petrova , supra note 4. 78 Id. 79 Id. 80 Millard and Newby , supra note 3. 81 Van der Wolk and Petrova , supra note 4. 82 Computerweekly.com, s upra note 5. 83 Millard and Newby , supra note 3. 84 Consilio.com , supra note 38.