How do you deal with a profession that didn't even exist a few years ago and is now mandatory in companies? That's precisely the question that arises when we think of the Data Protection Officer or DPO.
This term, as well as the professional behind it, emerged with the enactment of privacy laws, in Brazil, the General Data Protection Law - LGPD. This law was enacted in 2018 and only came into effect in 2020. According to the law, they are responsible for ensuring the correct treatment of data that the company may use, which belongs to third parties.
And this responsibility assigned by the law to the professional figure of the Data Protection Officer may lead to the assumption that they are the sole and exclusive responsible party for the care that applies to such data. Is that the case? Is the job of the Data Protection Officer solitary or should it be a team effort? Find out all of this in the following sections.
You know those lists where we see "future professions"? Well, if we considered 2021 as the future, the figure of the Data Protection Officer would be on that list because, in professional terms, it's one of the newest and most modern roles in the market.
After all, this position didn't even exist before LGPD or GDPR. The law created a new profession. This happened the moment the General Data Protection Law explicitly established the existence of this figure. At the same time, it laid out all of their responsibilities.
The Data Protection Officer or DPO (Data Protection Officer) is precisely a figure who must control and manage data processing - in other words, their use - in the day-to-day operations of the company. Thus, they are responsible for ensuring that all processes, flows, and actions respect the limits supported by the Legal Basis that underpins the use of that data by the company. Therefore, in the event of an inquiry from ANPD to the company, they are the ones who must respond on behalf of the institution.
Among the responsibilities of the DPO that are clearly stated in LGPD are:
By responding to the guidelines of the Data Controller, the DPO is not to be confused with this figure. While the controller refers to the one who defines the mode of treatment of information from its entry to its elimination, the Data Operator is the one who executes the process and ensures that it is strictly followed. When distinct, both the Controller and the Operator must have their respective DPOs.
There are several responsibilities that a DPO has within a company, as we've seen above. And this doesn't happen by chance, as data processing imposes specific limits and requires essential attention and care.
In this sense, it becomes clear that the Data Protection Officer accumulates a series of activities. But, no matter how well-equipped they are for their responsibilities and how up-to-date they are with the company's data processing activities, it's not enough.
The isolated work of the DPO is something that is impossible to occur.
Or rather, it finds no possibilities of developing with the necessary quality and maintaining security against data leaks or improper use.
That's why when we talk about the work of the Data Protection Officer, we cannot understand that their activities are carried out in isolation or individually. The importance and number of responsibilities make their work a team effort.
To avoid any confusion, understand this: the DPO really is responsible for the issues involving data use. Thus, in the event of accidents or problems involving this information, they will be directly involved.
On the other hand, this does not mean that they should work alone. Quite the opposite! Ensuring that other employees and teams are involved in the care required by data processing due to LGPD is crucial.
The work of the Data Protection Officer is multidisciplinary. Legal, Technology, Marketing, Information Security, Process Management, Institutional Relations, etc. Since it's very difficult for one person to master all of these areas, the assistance of a support team is essential!
Only in this way is it possible to develop work in harmony, which takes place jointly to ensure the correct use of data. Therefore, don't isolate your DPO! Their work should take place close to other employees and with their assistance.
One way to provide the Data Protection Officer with the support they need to carry out their activities successfully is to create a data security committee. It should be formed by various professionals representing the company's teams.
Moreover, they should represent the main interests involved when we are faced with data leaks or misuse. Therefore, it should have representatives from Human Resources, the Legal department, and Information Technology, at a minimum.
Likewise, they can include, regularly or in specific situations, representatives from the marketing team, as well as from the Communication, Sales, Finance departments...
With this, the DPO finds opportunities to jointly develop strategies, with each department's representatives helping with their implementation, as well as mapping the main problems that data processing encounters in various business processes.
Each representative acts as a direct extension of the DPO in their department(s), so it is important that they have a good understanding of the processes and autonomy in investigating flows and details.
As we've seen, the DPO is responsible for ensuring that data use occurs in accordance with the legal basis that supports the use of user data and within the limits of LGPD. Also, they must faithfully follow the instructions of the Data Controller.
There are numerous types of activities that occur simultaneously within a company that involve data processing. Consider, in this regard, an online sale. In this case, data such as address, CPF, phone number, and full name are collected, which should be used for:
And these are just some of the activities that require data in a sales process. Therefore, it is necessary for the Data Protection Officer to be familiar with these processes, how they work, the data they use, how they are stored, discarded, and other such information.
Only in this way is it possible to know where the company is succeeding and failing in data processing, as well as to develop security strategies and ensure that data processing takes place within its limits and regulations.
Ideas and possibilities abound. But to try to conclude this topic, one last tip.
When the DPO is in contact with the teams, they also become capable of guiding them so that, in their day-to-day activities, data processing occurs correctly. This can be done in various ways, such as through the development of a manual, training, etc.
It is crucial that everyone who in some way works with data processing has access to such standards and knows exactly what the limits of information use are.
With this, the teamwork of the Data Protection Officer not only becomes possible but also brings effective improvements to the company and makes it secure in compliance with LGPD guidelines.
Have you heard of ROPA in LGPD, do you know what this document is?
Here, we talk a bit more about it, to help you with compliance processes.
Now that we have the data flow within your company, we need to highlight 2 aspects of LGPD that will help you determine the extent of your responsibility in relation to the many points listed in the company. I'm talking about the difference between Data Controller and Data Processor.
The Data Protection Officer, or DPO, is a new position that emerged all over the globe with the new privacy regulations, and more recently at the LGPD. Although it already existed in other international legislations, such as the EU's GDPR, it is still a novelty here since 2020. Along with it comes the possibility of outsourcing, known as DPO as a Service (DPOaaS).
Have you ever noticed that every time you sign up for a service to access information or register on a website for purchases, you need to give consent? If you're wondering why you have to give consent on every website you visit, you'll find the answer here.
Surely you've already seen the predictions of fines and sanctions, processes. But, what does it mean to your company?
In the end, our goal has never been to predict doom for companies or to be part of the LGPD's Apocalypse Cavalry. But, since we've been in the market for some time, these kinds of issues always catch our attention when we start data mapping and having conversations with colleagues.
It's time to talk about one of the most impactful tasks, both for the company and for the visitors of your websites: tag categorization. But why is it so impactful? What is the relevance of this configuration and how can it affect us? It is precisely because of these common questions we receive from our clients that we have written this article on best practices in tag categorization.
Despite cookies being more well-known, what is the main difference between cookies and session storage and local storage? Why choose one over the other? This article will help you with these doubts!
LGPD, GDPR, and CCPA are data privacy regulations. In this article, we discuss their similarities and differences for practical application.
With the data mapping we have a clear understanding of the 5 stages that every data goes through in a company.
While it's not exactly breaking news, discussions about privacy policies have been popping up more frequently since the start of GDPR in Europe. And despite it seeming coincidental, it's not!
Drawing an analogy from the world of soccer, we can think of the DPO as the "midfielder" of the team, responsible for connecting the defense and the attack.
Brazilian LGPD - General Data Protection Law brought with it several acronyms and specific terms. Many of them imported from other countries and legislations. One of them is ROPA (Record Of Processing Activities), adapted in Brazil to Registros das Atividades de Tratamento. An essential document for any DPO, Data Processor.
© GO ADOPT, LLC since 2020 • Made by people who love🍪