A key component of Brazil’s Lei Geral Protecao de Dados (LGPD) also referred to as the General Data Protection Law is the position of the DPO.
Under the LGPD, a DPO will serve as the link between a business and its data subjects as well as with the ANPD.
What is DPO under LGPD?
The term DPO refers to Data Protection Officer, which is a new position introduced by the European Union’s General Data Protection Regulation (GDPR).
It is important to note that the GDPR served as the inspiration and reference point in the conception of Brazil’s LGPD.
What is the Role of the DPO under the LGPD?
The LGPD defines the role of a DPO as being responsible for the communication between businesses, the ANPD, and data subjects. In this case, data subjects can be consumers and employees, just to name a few.
Similar to the GDPR, a DPO under the LGPD is expected to;
- Oversee a business’ LGPD adaptation process
- Organize and monitor a company’s compliance program with a focus on data protection
- Provide guidance and interpret the LGPD to ensure a company’s internal processes such as the development of new products is compliant with Brazil’s cookie law requirements.
It is vital to take into account the fact that the ANPD may create complementary regulations that outline additional duties for the DPO.
Is the DPO Liable for a Business’ Non-Compliance with LGPD?
Concerning liability, the LGPD provides for the DPO to be allowed to act with full autonomy. Essentially, a DPO cannot be dismissed as a result of performing his/her duty.
Furthermore, it is important to make it clear that compliance with the LGPD is the responsibility of the data controller.
In this context, a data controller is identified as the business that determines the need to collect and process the personal information of Brazilian residents.
Therefore, the DPO is not liable as an individual for the fulfillment or the failure to meet LGPD requirements except if;
- It is proven beyond a reasonable doubt that he/she acted dishonestly and in disagreement with the guidelines and the needs of his employer.
What are the Qualifications of a DPO under the LGPD?
The role of a Data Protection Officer can be performed by a professional from any field. However, typically, it is recommendable that they are in legal or information technology specialties.
The final version of the LGPD eliminated the requirement of DPOs to have legal regulatory training. However, the connection of this specialty with other skills will be vital to the performance of the DPO role.
Therefore, a qualified DPO should be skilled in corporate operations, data privacy laws, information security issues, and corporate communications.
Currently, there is no specific training for this role in line with the LGPD. However, there are certifications that are focused on this function. These courses are focused on equipping learners with legal and information security expertise.
What are the Consequences of a Company Failing to Hire DPO?
Since the position of a DPO is a key compliance obligation for business according to the LGPD, failure to appoint one may result in the enforcement of one of the penalties defined in this data privacy law.
The LGPD penalty framework comprises;
- Warnings issued in case of violations and non-compliance with the intent of having the entity adopt corrective measures.
- Daily fines
- Penalties up to 2% of annual turnover in Brazil or R50 Million per violation, app. €11 million.
Do all Companies Need a DPO?
The LGPD does not provide a specific criterion to distinguish companies that need to hire a DPO from those that are not obligated.
Conceptually, all businesses that handle personal data, of any size, should have a Data Protection Officer.
Nonetheless, the final version of the LGPD opened up the probability of the ANPD creating exceptions to this requirement.
Can the DPO Functions be performed by a Team?
According to the LGPD, a Data Protection Officer should be a natural or legal individual, employee or contracted, with the expertise to undertake this role independently.
Furthermore, the LGPD states that the DPO’s identity and contact information should be revealed, clearly, and factually, advisably on the controller’s website.
Therefore, business must nominate a single person to fill the role of a DPO. However, the DPO can structure governance programs focused on the protection of personal data.
Essentially, they can create multidisciplinary committees with professionals from different areas to discuss actions, implementation, and management of data handling practices in your company.
Download your free LGPD e-book and get it delivered straight into your inbox