Data Protection Officer and LGPD, a Solitary or Teamwork Job?

Data Protection Officer and LGPD, a Solitary or Teamwork Job?

9 months ago
João Bruno Soares
5 minutes

How do you deal with a profession that didn't even exist a few years ago and is now mandatory in companies? That's precisely the question that arises when we think of the Data Protection Officer or DPO.

This term, as well as the professional behind it, emerged with the enactment of privacy laws, in Brazil, the General Data Protection Law - LGPD. This law was enacted in 2018 and only came into effect in 2020. According to the law, they are responsible for ensuring the correct treatment of data that the company may use, which belongs to third parties.

And this responsibility assigned by the law to the professional figure of the Data Protection Officer may lead to the assumption that they are the sole and exclusive responsible party for the care that applies to such data. Is that the case? Is the job of the Data Protection Officer solitary or should it be a team effort? Find out all of this in the following sections.

Data Protection Officer and Their Responsibilities

You know those lists where we see "future professions"? Well, if we considered 2021 as the future, the figure of the Data Protection Officer would be on that list because, in professional terms, it's one of the newest and most modern roles in the market.

After all, this position didn't even exist before LGPD or GDPR. The law created a new profession. This happened the moment the General Data Protection Law explicitly established the existence of this figure. At the same time, it laid out all of their responsibilities.

The Data Protection Officer or DPO (Data Protection Officer) is precisely a figure who must control and manage data processing - in other words, their use - in the day-to-day operations of the company. Thus, they are responsible for ensuring that all processes, flows, and actions respect the limits supported by the Legal Basis that underpins the use of that data by the company. Therefore, in the event of an inquiry from ANPD to the company, they are the ones who must respond on behalf of the institution.

Learn more about the Legal Bases of LGPD.

Among the responsibilities of the DPO that are clearly stated in LGPD are:

  • Execute tasks determined by the Data Controller and within the limits of that determination (and, of course, the law);
  • Handle complaints from data subjects;
  • Provide explanations about the use of data to data subjects;
  • Communicate with data subjects whenever necessary;
  • Take the necessary steps to reflect changes in data use and collection due to changes in the data subject's consent;
  • Guide other professionals who handle this data and instruct them regarding security measures and the limits of consent and the application of this information.

By responding to the guidelines of the Data Controller, the DPO is not to be confused with this figure. While the controller refers to the one who defines the mode of treatment of information from its entry to its elimination, the Data Operator is the one who executes the process and ensures that it is strictly followed. When distinct, both the Controller and the Operator must have their respective DPOs.

All teamwork clichés become a reality in data treatment care as per LGPD.

There are several responsibilities that a DPO has within a company, as we've seen above. And this doesn't happen by chance, as data processing imposes specific limits and requires essential attention and care.

In this sense, it becomes clear that the Data Protection Officer accumulates a series of activities. But, no matter how well-equipped they are for their responsibilities and how up-to-date they are with the company's data processing activities, it's not enough.

The isolated work of the DPO is something that is impossible to occur.

Or rather, it finds no possibilities of developing with the necessary quality and maintaining security against data leaks or improper use.

That's why when we talk about the work of the Data Protection Officer, we cannot understand that their activities are carried out in isolation or individually. The importance and number of responsibilities make their work a team effort.

To avoid any confusion, understand this: the DPO really is responsible for the issues involving data use. Thus, in the event of accidents or problems involving this information, they will be directly involved.

On the other hand, this does not mean that they should work alone. Quite the opposite! Ensuring that other employees and teams are involved in the care required by data processing due to LGPD is crucial.

The work of the Data Protection Officer is multidisciplinary. Legal, Technology, Marketing, Information Security, Process Management, Institutional Relations, etc. Since it's very difficult for one person to master all of these areas, the assistance of a support team is essential!

Only in this way is it possible to develop work in harmony, which takes place jointly to ensure the correct use of data. Therefore, don't isolate your DPO! Their work should take place close to other employees and with their assistance.

Formation of a data security committee

One way to provide the Data Protection Officer with the support they need to carry out their activities successfully is to create a data security committee. It should be formed by various professionals representing the company's teams.

Moreover, they should represent the main interests involved when we are faced with data leaks or misuse. Therefore, it should have representatives from Human Resources, the Legal department, and Information Technology, at a minimum.

Likewise, they can include, regularly or in specific situations, representatives from the marketing team, as well as from the Communication, Sales, Finance departments...

With this, the DPO finds opportunities to jointly develop strategies, with each department's representatives helping with their implementation, as well as mapping the main problems that data processing encounters in various business processes.

Each representative acts as a direct extension of the DPO in their department(s), so it is important that they have a good understanding of the processes and autonomy in investigating flows and details.

Knowledge of the company's data processing-based processes

As we've seen, the DPO is responsible for ensuring that data use occurs in accordance with the legal basis that supports the use of user data and within the limits of LGPD. Also, they must faithfully follow the instructions of the Data Controller.

There are numerous types of activities that occur simultaneously within a company that involve data processing. Consider, in this regard, an online sale. In this case, data such as address, CPF, phone number, and full name are collected, which should be used for:

  • Billing;
  • Generating invoices;
  • Communicating the completion of the sale to the customer;
  • Logistics for the separation and forwarding of the product;
  • Offering tracking;
  • Post-sale contact.
  • ...

And these are just some of the activities that require data in a sales process. Therefore, it is necessary for the Data Protection Officer to be familiar with these processes, how they work, the data they use, how they are stored, discarded, and other such information.

Only in this way is it possible to know where the company is succeeding and failing in data processing, as well as to develop security strategies and ensure that data processing takes place within its limits and regulations.

Establishing Limits and Rules for Data Use by Teams

Ideas and possibilities abound. But to try to conclude this topic, one last tip.

When the DPO is in contact with the teams, they also become capable of guiding them so that, in their day-to-day activities, data processing occurs correctly. This can be done in various ways, such as through the development of a manual, training, etc.

It is crucial that everyone who in some way works with data processing has access to such standards and knows exactly what the limits of information use are.

With this, the teamwork of the Data Protection Officer not only becomes possible but also brings effective improvements to the company and makes it secure in compliance with LGPD guidelines.

Have you heard of ROPA in LGPD, do you know what this document is?

Here, we talk a bit more about it, to help you with compliance processes.


Controller and Operator
Data Protection Officer - DPO
Data Mapping

Related posts

Adopt post

The Differences Between Data Controller and Data Processor - LGPD

Now that we have the data flow within your company, we need to highlight 2 aspects of LGPD that will help you determine the extent of your responsibility in relation to the many points listed in the company. I'm talking about the difference between Data Controller and Data Processor.

Adopt post

What are Terms of Use and their importance for the LGPD?

Ignoring Terms of Use and their significance within a website, particularly now with LGPD, is a common mistake that both consumers and website owners frequently commit.

Adopt post

Outsourcing the DPO (DPOaaS), Is It a Good Idea?

The Data Protection Officer, or DPO, is a new position that emerged all over the globe with the new privacy regulations, and more recently at the LGPD. Although it already existed in other international legislations, such as the EU's GDPR, it is still a novelty here since 2020. Along with it comes the possibility of outsourcing, known as DPO as a Service (DPOaaS).

Adopt post

Why Give Consent on Every Website I Visit?

Have you ever noticed that every time you sign up for a service to access information or register on a website for purchases, you need to give consent? If you're wondering why you have to give consent on every website you visit, you'll find the answer here.

Adopt post

Google Consent Mode : Guide du Débutant à l'Avancé.

Avec la prolifération des lois sur la vie privée dans le monde, Google (Alphabet) s'est enfin trouvé obligé d'ajuster ses outils pour être conforme aux nouvelles législations telles que le GDPR, le LGPD, le CCPA, le PIPEDA, le DPDPA, etc.

Adopt post

Google Consent Mode: Guía de principiante a avanzado.

Con la proliferación de leyes de privacidad en todo el mundo, Google (Alphabet) finalmente se ha visto obligado a ajustar sus herramientas para cumplir con nuevas legislaciones como el GDPR, LGPD, CCPA, PIPEDA, DPDPA, entre otras.

Adopt post

Understand the meaning of the LGPD for your company

Surely you've already seen the predictions of fines and sanctions, processes. But, what does it mean to your company?

Adopt post

10 Marketing Processes You Should Rethink under the LGPD!

In the end, our goal has never been to predict doom for companies or to be part of the LGPD's Apocalypse Cavalry. But, since we've been in the market for some time, these kinds of issues always catch our attention when we start data mapping and having conversations with colleagues.

Adopt post

Best practices in tag categorization

It's time to talk about one of the most impactful tasks, both for the company and for the visitors of your websites: tag categorization. But why is it so impactful? What is the relevance of this configuration and how can it affect us? It is precisely because of these common questions we receive from our clients that we have written this article on best practices in tag categorization.

Adopt post

What is the difference between cookies, local storage, and session storage?

Despite cookies being more well-known, what is the main difference between cookies and session storage and local storage? Why choose one over the other? This article will help you with these doubts!

Adopt post

GDPR, LGPD, and CCPA: What Are These Laws, Similarities, and Differences

LGPD, GDPR, and CCPA are data privacy regulations. In this article, we discuss their similarities and differences for practical application.

Adopt post

Data Mapping or Data Inventory - a life jacket for the DPO!

With the data mapping we have a clear understanding of the 5 stages that every data goes through in a company.

Adopt post

What is a privacy policy?

A privacy policy is a document that outlines how an organization collects, uses, discloses, and manages a customer's data. It's essential for building trust with users and complying with legal requirements. However, if you're not familiar with it, don't worry as we're here to help you.

Adopt post

Responsibilities of a data protection officer.

Drawing an analogy from the world of soccer, we can think of the DPO as the "midfielder" of the team, responsible for connecting the defense and the attack.

Adopt post

ROPA in LGPD? Get to Know the Records of Processing Activities.

Brazilian LGPD - General Data Protection Law brought with it several acronyms and specific terms. Many of them are imported from other countries and regulations. One of them is ROPA (Record Of Processing Activities), adapted in Brazil to Registros das Atividades de Tratamento. An essential document for any DPO, Data Processor.

Adopt post

Oregon OCPA and Cookies: All You Need to Know

The Oregon Consumer Privacy Act (OCPA) is a regulation designed to enhance consumer privacy rights in Oregon. By setting strict guidelines on how businesses collect, process, and share personal data, the OCPA aims to give consumers more control over their personal information and ensure businesses handle this data responsibly.

Address: 7345 W Sand Lake Road, Ste 210 Office 5898 Orlando, FL 32819
EIN: 86-3965064
Phone: +1 (407) 768-3792



Legal Terms

© GO ADOPT, LLC since 2020 • Made by people who love