Every company is at some point a data controller, for common personal data processing operations like hiring, payroll, financial reporting, etc, and its responsibilities are detailed in Article 24 – Responsibility of the controller. If your question is related to Data Protection Officer, the requirements of a company whether to designate a DPO or not are detailed in Article 37 GDPR - Designation of the data protection officer. Namely, a company must designate a DPO if it is a public authority or body, or if its core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or if its core activities consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offenses. However, designating a DPO can be seen as a highly-recommended organizational measure to lower the risks related to personal data processing.
If the company decides to designate a DPO, we recommend taking the EU GDPR Data Protection Officer Course on Advisera (link below) and working with the EU GDPR Documentation Toolkit provided by Advisera (link below) that contains all necessary documentation to become GDPR-compliant.
Please also consult these resources: