With the advent of the Data Protection Law (Brazilian Federal Law No. 13.709 / 18 – LGPD), implementing a personal data protection agenda in the corporate culture is essential.
Due mainly the fear of administrative sanctions or the leading customers’ adequacy requests, companies have been forced to adapt themselves to this new reality, adopting new mechanisms to manage their businesses, as well as new practices and controls, in order to ensure compliance with this new law.
In this context, the Data Protection Officer (DPO) figure has emerged as the professional in charge of access, transparency and compliance of data used by the companies, among other duties.
DPO and GDPR
The DPO figure has gained notoriety after the General Data Protection Regulation (GDPR) agreed in the European Union in May 2018. However, we cannot say that the DPO concept is new, as this function has been provided for by Directive 95/46 / EC3 since 1995.
Broadly speaking, DPO is as an expert in personal data protection who should monitor and ensure that the company complies with the legislation, internalizing rules and good practices in the company’s culture. DPO can be seen as a kind of intermediary in the company’s relationship with data holders and government authorities.
Receive our content by email
Fill in the fields below to register on our blog.
The Brazilian General Data Protection Law is based on the rights to freedom and privacy, such as free initiative and national economic and technological development.
After years of discussion about the need for a data protection law, a preliminary bill on data protection (No. 4060/12) became the bill No. 53/2018 in 2018 and was approved in 2018 July by the Federal Senate plenary. Thus, the Brazilian LGPD began its history nationwide.
The Brazilian LGPD applies to companies, public bodies and individuals with economic purposes. It aims to protect the personal data processing by establishing duties and obligations for the processing agents and rights to data holders.
According to lawyer Ana Carolina Teles at Assis e Mendes Advogados firm. “companies don’t need to interrupt their business model or fear LGPD. On the contrary, they must see legislation as another standard to which they are expected to adapt to and understand much more as a partner than an enemy. It is important to keep in mind that data is like uranium – it serves both to create clean and renewable energy or an atomic bomb!”
The Brazilian data protection law was inspired by the European Regulation in many aspects and, mainly, regarding the DPO figure. In the Brazilian LGPD, DPO is called Encarregado de Proteção de Dados (EPD).
Specifically, the Brazilian LGPD Article 5, VIII defines the EPD figure as a “person appointed by the controller and operator to work as a communication channel between controller, data holders and the National Data Protection Authority (ANPD)”.
What are the DPO functions within a company?
The Brazilian LGPD Article 5 provides for the DPO selection and activities to be carried out by this professional. In a non-objective way, the article also provides for how a DPO is expected to be publicized.
In short, according to items I to IV in the Article 41, DPO shall provide clarifications to data holders, receive messages from the national authority and take action, advise the organization’s employees and contractors on data protection laws and carry out the duties determined by the controller or by complementary rules.
It is important to understand that DPO may be also responsible for elaboration, review and/or update of reports about impacts on personal data protection, records about personal data processing and guidelines for personal data operators. In addition, DPO may have the following assignments:
- Ensuring that data controllers and data holders are informed about their data protection rights, obligations and responsibilities and raising their awareness;
- Guarding the interpretation or application of data protection rules;
- Generating records about data processing in the company, notifying transactions with specific risks;
- Ensuring compliance with data protection rules within the organization;
- Answering questions or complaints at the request of the company, the data controller, employees or on DPO’s own initiative;
- Highlighting the importance of the compliance with the applicable data protection rules;
- Certifying the there will be a clear notification when the data collection is done with the departments, so that users are aware and can give the respective permission.
As provided for in Article 41, the National Data Protection Authority (ANPD) will establish complementary rules for DPO definition and attributions, mainly for cases in which the appointment of this professional will not be required in certain types of companies.
What is the DPO importance within a company’s staff?
The DPO work will contribute to building a positive reputation for the organization by providing more transparency and increasing the user confidence. It is also essential that DPO is fully dedicated to data governance in order to ensure that the company’s management group can focus its efforts on assertive decisions.
Adriano Mendes, DPO and a partner at Assis e Mendes Advogados, clarifies about the importance of DPO, its duties and qualification:
“When analyzing the LGPD, we found that the law does not define DPO as an individual or legal entity. Thus, DPO can be both a natural person and a legal person. It is also important to clarify that there are currently no standards recommending or requiring specific training and/or certifications for DPO. There are not requirements saying that the function is expected to be performed by a legal, technology or information security professional or other groups. Ideally, DPO is expected to have autonomy and independence within the organization, as well as active support from C-Levels and sufficient time to carry out their tasks. Finally, it is essential that the DPO reports directly to the CEO and board, are able to dialogue and has full knowledge about sector and general laws affecting how the organization can and should collect data and about the company’s internal and governance processes. DPO who follows these guidelines may bring innovation and centralize the data protection culture at the organizational level, establishing internal guidelines that will effectively reinforce the company’s compliance and corporate governance.”
We can conclude that companies that have not yet paid attention to the need to implement LGPD should start moving in this direction, mainly with regard to the appointment of a professional like DPO, who will be essential to pave the data protection culture in organizations.
Do you have any question about how to deal with LGPD in practice? Talk to a specialist at Assis e Mendes, a law firm specializing in this topic. Find out more about this work at www.assisemendes.com.br.