LGPD: What is a Data Protection Officer
A key component of Brazil’s Lei Geral Protecao de Dados (LGPD) also referred to as the General Data Protection Law is the position of the DPO.
What is DPO under LGPD?
The term DPO refers to Data Protection Officer, which is a new position introduced by the European Union’s General Data Protection Regulation (GDPR).
What is the Role of the DPO under the LGPD?
The LGPD defines the role of a DPO as being responsible for the communication between businesses, the ANPD, and data subjects. In this case, data subjects can be consumers and employees, just to name a few.
Similar to the GDPR, a DPO under the LGPD is expected to;
- Oversee a business’ LGPD adaptation process
- Organize and monitor a company’s compliance program with a focus on data protection
- Provide guidance and interpret the LGPD to ensure a company’s internal processes such as the development of new products is compliant with Brazil’s cookie law requirements.
It is vital to take into account the fact that the ANPD may create complementary regulations that outline additional duties for the DPO.
Is the DPO Liable for a Business’ Non-Compliance with LGPD?
Concerning liability, the LGPD provides for the DPO to be allowed to act with full autonomy. Essentially, a DPO cannot be dismissed as a result of performing his/her duty.
Furthermore, it is important to make it clear that compliance with the LGPD is the responsibility of the data controller.
In this context, a data controller is identified as the business that determines the need to collect and process the personal information of Brazilian residents.
Therefore, the DPO is not liable as an individual for the fulfillment or the failure to meet LGPD requirements except if;
- It is proven beyond a reasonable doubt that he/she acted dishonestly and in disagreement with the guidelines and the needs of his employer.
What are the Qualifications of a DPO under the LGPD?
The role of a Data Protection Officer can be performed by a professional from any field. However, typically, it is recommendable that they are in legal or information technology specialties.
The final version of the LGPD eliminated the requirement of DPOs to have legal regulatory training. However, the connection of this specialty with other skills will be vital to the performance of the DPO role.
Therefore, a qualified DPO should be skilled in corporate operations, data privacy laws, information security issues, and corporate communications.
Currently, there is no specific training for this role in line with the LGPD. However, there are certifications that are focused on this function. These courses are focused on equipping learners with legal and information security expertise.
What are the Consequences of a Company Failing to Hire DPO?
Since the position of a DPO is a key compliance obligation for business according to the LGPD, failure to appoint one may result in the enforcement of one of the penalties defined in this data privacy law.
The LGPD penalty framework comprises;
- Warnings issued in case of violations and non-compliance with the intent of having the entity adopt corrective measures.
- Daily fines
- Penalties up to 2% of annual turnover in Brazil or R50 Million per violation, app. €11 million.
Do all Companies Need a DPO?
The LGPD does not provide a specific criterion to distinguish companies that need to hire a DPO from those that are not obligated.
Conceptually, all businesses that handle personal data, of any size, should have a Data Protection Officer.
Nonetheless, the final version of the LGPD opened up the probability of the ANPD creating exceptions to this requirement.
Can the DPO Functions be performed by a Team?
According to the LGPD, a Data Protection Officer should be a natural or legal individual, employee or contracted, with the expertise to undertake this role independently.
Furthermore, the LGPD states that the DPO’s identity and contact information should be revealed, clearly, and factually, advisably on the controller’s website.
Therefore, business must nominate a single person to fill the role of a DPO. However, the DPO can structure governance programs focused on the protection of personal data.
Essentially, they can create multidisciplinary committees with professionals from different areas to discuss actions, implementation, and management of data handling practices in your company.
Sign up for your free trial today and get on the road to LGPD compliance. Alternatively, book a call and get a personalized demo of our complete LGPD compliance solution from a data privacy expert.
Download your free LGPD e-book and have it delivered directly into your inbox.
Download your free LGPD e-book and get it delivered straight into your inbox.
Take a look at the 2022 LGPD updates.
Want to try
Get your free cookie banner up and running today!
CPRA Data Retention
Unlike other data protection laws, such as the GDPR of the EU, the CPRA does not prevent you from collecting personal data freely without asking anyone. However, it doesn’t allow you to keep it longer than needed. This article will delve into the CPRA requirements for data retention.
CPRA and Employee Data: What You Need to Know
Under the CPRA, employee personal information is any information that could be used to determine who a person is and how they work. California employees have all the same rights guaranteed by the California Privacy Rights Act as any other consumer. Learn all you need to know about CPRA and Employee Data here.
Your users have the right to know what personal information is being collected about them, and they may contact you with a request to get information about how you handle personal information, ask you to delete it, transfer it to another company, or do something similar. Under the CPRA, you are obliged to respond to them. In this article, we explain how to comply with such consumer requests and the CPRA.