We’re only starting with the GDPR toolkit, but I’ve an important question that you may be able to answer. The template mention the DPO a lot and we decided to not appoint one as we don’t have to, how should we go about it? Who should be there instead? (separately I wonder if there’s a specific requirement regarding the format of the record for the decision not to have a DPO?)
The EU GDPR requires the appointment of a formal Data Protection Officer (DPO) only in certain cases which are listed under article 37 (https://advisera.com/eugdpracademy/gdpr/designation-of-the-data-protection-officer/). So, if the company you are representing does not find itself in the in the situations described in the article mentioned above you don’t need to have a dedicated DPO and you are not required to have any document in place to back up this fact.
This, however, doesn't mean that the company can leave aside the EU GDPR. Data protection specific tasks can be given to different members of the organizations such as Legal Counsels, HR specialists , IT security specialists etc. or the tasks can be outsourced to a specialized third party.
Just make sure that those members of the organization you select for the data protection tasks have at least some knowledge about the EU GDPR and other relevant data protection laws.