However, the reason why it's not talked much in context with GDPR compliance is that's not really a new GDPR requirement - it has been a mandatory requirement already in the previous privacy laws; any EU company handling private data had to have a designated DPO for many years before GDPR and that's a nonnegotiable basic requirement if you want to handle such data. If a company doesn't have this, then they weren't permitted to handle private data even before GDPR was concieved. GDPR added some more rights to consumers (such as this right to request) which would require the existing DPO's to adjust procedures.

I mean, does it seem likely to you that your company can implement proper, secure handling of private data without having someone responsible for it? This very discussion shows that it takes some attention and specialized knowledge.

And if you can't pay the 'table stakes', then you're not allowed to 'play the game' - this has many parallels with other regulations. Just as it's reasonable to shut down restaurants for gross hygiene violations and prevent them from operating until/unless they can't handle food properly, it's reasonable to shut down data processing activities for gross 'data hygiene' violations, and prevent them from operating until/unless they can handle private data properly. Just as you can't do various construction and industrial activities without having a designated occupational hazard person (not necessarily full-time), you can't handle private data processing without a designated data protection person. There's nothing novel here.