Under the GDPR many organizations are obliged to appoint a designated Data Protection Officer (DPO). Have you checked if you are one of them?

WP29 suggests the DPO is located within the European Union, whether or not the controller or processor is established in the European Union.

In accordance with WP29 guidance it is possible to appoint an external DPO and have the (mandatory) tasks fulfilled on the basis of a service contract.