How do you deal with a profession that didn't even exist a few years ago and is now mandatory in companies? That's precisely the question that arises when we think of the Data Protection Officer or DPO.

This term, as well as the professional behind it, emerged with the enactment of privacy laws, in Brazil, the General Data Protection Law - LGPD. This law was enacted in 2018 and only came into effect in 2020. According to the law, they are responsible for ensuring the correct treatment of data that the company may use, which belongs to third parties.

And this responsibility assigned by the law to the professional figure of the Data Protection Officer may lead to the assumption that they are the sole and exclusive responsible party for the care that applies to such data. Is that the case? Is the job of the Data Protection Officer solitary or should it be a team effort? Find out all of this in the following sections.

You know those lists where we see "future professions"? Well, if we considered 2021 as the future, the figure of the Data Protection Officer would be on that list because, in professional terms, it's one of the newest and most modern roles in the market.

After all, this position didn't even exist before LGPD or GDPR. The law created a new profession. This happened the moment the General Data Protection Law explicitly established the existence of this figure. At the same time, it laid out all of their responsibilities.

The Data Protection Officer or DPO (Data Protection Officer) is precisely a figure who must control and manage data processing - in other words, their use - in the day-to-day operations of the company. Thus, they are responsible for ensuring that all processes, flows, and actions respect the limits supported by the Legal Basis that underpins the use of that data by the company. Therefore, in the event of an inquiry from ANPD to the company, they are the ones who must respond on behalf of the institution.

Among the responsibilities of the DPO that are clearly stated in LGPD are:

• Execute tasks determined by the Data Controller and within the limits of that determination (and, of course, the law);
• Handle complaints from data subjects;
• Provide explanations about the use of data to data subjects;
• Communicate with data subjects whenever necessary;
• Take the necessary steps to reflect changes in data use and collection due to changes in the data subject's consent;
• Guide other professionals who handle this data and instruct them regarding security measures and the limits of consent and the application of this information.

By responding to the guidelines of the Data Controller, the DPO is not to be confused with this figure. While the controller refers to the one who defines the mode of treatment of information from its entry to its elimination, the Data Operator is the one who executes the process and ensures that it is strictly followed. When distinct, both the Controller and the Operator must have their respective DPOs.

There are several responsibilities that a DPO has within a company, as we've seen above. And this doesn't happen by chance, as data processing imposes specific limits and requires essential attention and care.

In this sense, it becomes clear that the Data Protection Officer accumulates a series of activities. But, no matter how well-equipped they are for their responsibilities and how up-to-date they are with the company's data processing activities, it's not enough.

The isolated work of the DPO is something that is impossible to occur.

Or rather, it finds no possibilities of developing with the necessary quality and maintaining security against data leaks or improper use.

That's why when we talk about the work of the Data Protection Officer, we cannot understand that their activities are carried out in isolation or individually. The importance and number of responsibilities make their work a team effort.

To avoid any confusion, understand this: the DPO really is responsible for the issues involving data use. Thus, in the event of accidents or problems involving this information, they will be directly involved.

On the other hand, this does not mean that they should work alone. Quite the opposite! Ensuring that other employees and teams are involved in the care required by data processing due to LGPD is crucial.

The work of the Data Protection Officer is multidisciplinary. Legal, Technology, Marketing, Information Security, Process Management, Institutional Relations, etc. Since it's very difficult for one person to master all of these areas, the assistance of a support team is essential!

Only in this way is it possible to develop work in harmony, which takes place jointly to ensure the correct use of data. Therefore, don't isolate your DPO! Their work should take place close to other employees and with their assistance.

One way to provide the Data Protection Officer with the support they need to carry out their activities successfully is to create a data security committee. It should be formed by various professionals representing the company's teams.

Moreover, they should represent the main interests involved when we are faced with data leaks or misuse. Therefore, it should have representatives from Human Resources, the Legal department, and Information Technology, at a minimum.

Likewise, they can include, regularly or in specific situations, representatives from the marketing team, as well as from the Communication, Sales, Finance departments...

With this, the DPO finds opportunities to jointly develop strategies, with each department's representatives helping with their implementation, as well as mapping the main problems that data processing encounters in various business processes.

Each representative acts as a direct extension of the DPO in their department(s), so it is important that they have a good understanding of the processes and autonomy in investigating flows and details.

As we've seen, the DPO is responsible for ensuring that data use occurs in accordance with the legal basis that supports the use of user data and within the limits of LGPD. Also, they must faithfully follow the instructions of the Data Controller.

There are numerous types of activities that occur simultaneously within a company that involve data processing. Consider, in this regard, an online sale. In this case, data such as address, CPF, phone number, and full name are collected, which should be used for:

• Billing;
• Generating invoices;
• Communicating the completion of the sale to the customer;
• Logistics for the separation and forwarding of the product;
• Offering tracking;
• Post-sale contact.
• ...

And these are just some of the activities that require data in a sales process. Therefore, it is necessary for the Data Protection Officer to be familiar with these processes, how they work, the data they use, how they are stored, discarded, and other such information.

Only in this way is it possible to know where the company is succeeding and failing in data processing, as well as to develop security strategies and ensure that data processing takes place within its limits and regulations.

Ideas and possibilities abound. But to try to conclude this topic, one last tip.

When the DPO is in contact with the teams, they also become capable of guiding them so that, in their day-to-day activities, data processing occurs correctly. This can be done in various ways, such as through the development of a manual, training, etc.

It is crucial that everyone who in some way works with data processing has access to such standards and knows exactly what the limits of information use are.

With this, the teamwork of the Data Protection Officer not only becomes possible but also brings effective improvements to the company and makes it secure in compliance with LGPD guidelines.

Have you heard of ROPA in LGPD, do you know what this document is?

Here, we talk a bit more about it, to help you with compliance processes.