GDPR requires those organisations to appoint a DPO, not to hire anyone new. It's like when you designate Ben to answer the phone after 5PM, Lisa to water the plants and the last guy to leave the office to turn off the light and close the windows (and for many companies there will be a lot less work involved with being a DPO, than with switching off the lights).
Exactly. Most businesses will already be required to have several "responsible person" roles for e.g. health and safety and fire evacuations. It's just that in a 1-person business they're all the same person.
