LGPD: What is a Data Protection Officer
A key component of Brazil’s Lei Geral Protecao de Dados (LGPD) also referred to as the General Data Protection Law is the position of the DPO.
What is DPO under LGPD?
The term DPO refers to Data Protection Officer, which is a new position introduced by the European Union’s General Data Protection Regulation (GDPR).
What is the Role of the DPO under the LGPD?
The LGPD defines the role of a DPO as being responsible for the communication between businesses, the ANPD, and data subjects. In this case, data subjects can be consumers and employees, just to name a few.
Similar to the GDPR, a DPO under the LGPD is expected to;
- Oversee a business’ LGPD adaptation process
- Organize and monitor a company’s compliance program with a focus on data protection
- Provide guidance and interpret the LGPD to ensure a company’s internal processes such as the development of new products is compliant with Brazil’s cookie law requirements.
It is vital to take into account the fact that the ANPD may create complementary regulations that outline additional duties for the DPO.
Is the DPO Liable for a Business’ Non-Compliance with LGPD?
Concerning liability, the LGPD provides for the DPO to be allowed to act with full autonomy. Essentially, a DPO cannot be dismissed as a result of performing his/her duty.
Furthermore, it is important to make it clear that compliance with the LGPD is the responsibility of the data controller.
In this context, a data controller is identified as the business that determines the need to collect and process the personal information of Brazilian residents.
Therefore, the DPO is not liable as an individual for the fulfillment or the failure to meet LGPD requirements except if;
- It is proven beyond a reasonable doubt that he/she acted dishonestly and in disagreement with the guidelines and the needs of his employer.
What are the Qualifications of a DPO under the LGPD?
The role of a Data Protection Officer can be performed by a professional from any field. However, typically, it is recommendable that they are in legal or information technology specialties.
The final version of the LGPD eliminated the requirement of DPOs to have legal regulatory training. However, the connection of this specialty with other skills will be vital to the performance of the DPO role.
Therefore, a qualified DPO should be skilled in corporate operations, data privacy laws, information security issues, and corporate communications.
Currently, there is no specific training for this role in line with the LGPD. However, there are certifications that are focused on this function. These courses are focused on equipping learners with legal and information security expertise.
What are the Consequences of a Company Failing to Hire DPO?
Since the position of a DPO is a key compliance obligation for business according to the LGPD, failure to appoint one may result in the enforcement of one of the penalties defined in this data privacy law.
The LGPD penalty framework comprises;
- Warnings issued in case of violations and non-compliance with the intent of having the entity adopt corrective measures.
- Daily fines
- Penalties up to 2% of annual turnover in Brazil or R50 Million per violation, app. €11 million.
Do all Companies Need a DPO?
The LGPD does not provide a specific criterion to distinguish companies that need to hire a DPO from those that are not obligated.
Conceptually, all businesses that handle personal data, of any size, should have a Data Protection Officer.
Nonetheless, the final version of the LGPD opened up the probability of the ANPD creating exceptions to this requirement.
Can the DPO Functions be performed by a Team?
According to the LGPD, a Data Protection Officer should be a natural or legal individual, employee or contracted, with the expertise to undertake this role independently.
Furthermore, the LGPD states that the DPO’s identity and contact information should be revealed, clearly, and factually, advisably on the controller’s website.
Therefore, business must nominate a single person to fill the role of a DPO. However, the DPO can structure governance programs focused on the protection of personal data.
Essentially, they can create multidisciplinary committees with professionals from different areas to discuss actions, implementation, and management of data handling practices in your company.
Book a call and get a personalized demo of our complete LGPD compliance solution from a data privacy expert.
Download your free LGPD e-book and have it delivered directly into your inbox.
Download your free LGPD e-book and get it delivered straight into your inbox.
Take a look at the 2022 LGPD updates.
10 Principles of PIPEDA Explained: A Comprehensive Guide to Privacy Compliance with Canada's Data Privacy Law [Updated 2024]
Explore PIPEDA's 10 principles for robust privacy compliance. Learn key concepts, compare global data protection laws, and stay informed on Canadian privacy regulations. Consult our guide today
- Canada PIPEDA
Understanding the New Swiss Federal Act on Data Protection (FADP)
Explore the significant changes brought by Switzerland's New Federal Act on Data Protection (FADP) effective from September 2023. Learn about its impact on businesses, the key differences from GDPR, and essential guidelines for ensuring compliance.
- Europe GDPR
PIPEDA vs GDPR: Key Similarities and Differences Between Canada Personal Information Protection and Electronic Documents Act and EU General Data Protection Regulation
Explore differences between PIPEDA and GDPR, key principles, scope, and compliance. Navigate data protection in Canada and the EU with this comprehensive guide.
- Canada PIPEDA