A key component of Brazil’s Lei Geral Protecao de Dados (LGPD) also referred to as the General Data Protection Law is the position of the DPO.
The term DPO refers to Data Protection Officer, which is a new position introduced by the European Union’s General Data Protection Regulation (GDPR).
It is important to note that the GDPR served as the inspiration and reference point in the conception of Brazil’s LGPD.
Explore more privacy compliance insights and best practices
The LGPD defines the role of a DPO as being responsible for the communication between businesses, the ANPD, and data subjects. In this case, data subjects can be consumers and employees, just to name a few.
Similar to the GDPR, a DPO under the LGPD is expected to;
It is vital to take into account the fact that the ANPD may create complementary regulations that outline additional duties for the DPO.
Concerning liability, the LGPD provides for the DPO to be allowed to act with full autonomy. Essentially, a DPO cannot be dismissed as a result of performing his/her duty.
Furthermore, it is important to make it clear that compliance with the LGPD is the responsibility of the data controller.
In this context, a data controller is identified as the business that determines the need to collect and process the personal information of Brazilian residents.
Therefore, the DPO is not liable as an individual for the fulfillment or the failure to meet LGPD requirements except if;
The role of a Data Protection Officer can be performed by a professional from any field. However, typically, it is recommendable that they are in legal or information technology specialties.
The final version of the LGPD eliminated the requirement of DPOs to have legal regulatory training. However, the connection of this specialty with other skills will be vital to the performance of the DPO role.
Therefore, a qualified DPO should be skilled in corporate operations, data privacy laws, information security issues, and corporate communications.
Currently, there is no specific training for this role in line with the LGPD. However, there are certifications that are focused on this function. These courses are focused on equipping learners with legal and information security expertise.
Since the position of a DPO is a key compliance obligation for business according to the LGPD, failure to appoint one may result in the enforcement of one of the penalties defined in this data privacy law.
The LGPD penalty framework comprises;
The LGPD does not provide a specific criterion to distinguish companies that need to hire a DPO from those that are not obligated.
Conceptually, all businesses that handle personal data, of any size, should have a Data Protection Officer.
Nonetheless, the final version of the LGPD opened up the probability of the ANPD creating exceptions to this requirement.
According to the LGPD, a Data Protection Officer should be a natural or legal individual, employee or contracted, with the expertise to undertake this role independently.
Furthermore, the LGPD states that the DPO’s identity and contact information should be revealed, clearly, and factually, advisably on the controller’s website.
Therefore, business must nominate a single person to fill the role of a DPO. However, the DPO can structure governance programs focused on the protection of personal data.
Essentially, they can create multidisciplinary committees with professionals from different areas to discuss actions, implementation, and management of data handling practices in your company.
Book a call and get a personalized demo of our complete LGPD compliance solution from a data privacy expert.
Schedule a call to learn more
Download your free LGPD e-book and have it delivered directly into your inbox.
Download your free LGPD e-book and get it delivered straight into your inbox.
Take a look at the 2022 LGPD updates.
