Is there anyone reading this whose company has a DPO already? Is it an internal or external person? How technical are they? I'm a developer and I have a law degree; would that put me in an advantageous position to become one? Is there a market for 'consulting DPO's', like companies hire accountants, if that's allowed? Or do the big consultancy firms have the GDPR market cornered already? I wouldn't want to go in a direction where I would become what today's 'security auditors' do - go through a checklist of mostly irrelevant topics, drum up a list of 'recommendations' that usually aren't relevant or misunderstanding the situation but nobody cares anyway because it's all just busywork to get 'certified' for this or that (or insurance requires it). But if it would be actually working with technical teams on questions like this, that would be interesting.
THe answer varies depending on the size of the company. However, I have seen many IT related professionals taking over the GDPR issues. In larger companies it is a more legal role.
As to your career question: We are currently involved in many different and exciting project that push the boundaries of law and technology with respect to data protection. Currently, everyone is a GDPR consultant but quality and nature of the work differ substantially. For most part it is an exercise in producing documents and procedures to prove compliance. However, when it comes to implementing technical solutions you can really stand out. So if this is an area that you are interested in you should move fast. There is also a growing number of international opportunities as even non-EU companies require GDPR experts.
1. The most extreme, go back to all of your backups and delete them too.
2. You don't need to do anything, if you do not touch the backups and truly treat them for disaster recovery.
3. Your backups need to have reasonable retention (e.g. two year) and way to apply post requests after recovery.
4. A lot of in between.
5. My personal interpretation is that in first year of GDPR there will be so many companies that are not even trying to be compliant. Any companies showing any reasonable efforts will be just left alone and at worst heard some recommendations. Of course ad-tracking companies might get screwed, but their business model seems to be incompatible with GDPR.
Also right to erasure can be tricky (e.g. what if you keep records for support/warranty purpose). What you should do if someone exercise their right to be forgotten and than ask you for refund.