Outsourcing the DPO (DPOaaS), Is It a Good Idea?
The Data Protection Officer, or DPO, is a new position that emerged all over the globe with the new privacy regulations, and more recently at the LGPD. Although it already existed in other international legislations, such as the GDPR of the European Union, it is still a novelty here since 2020. Along with it comes the possibility of outsourcing, known as DPO as a Service (DPOaaS).
Due to its novelty and the importance of its role, many companies and organizations are opting for outsourcing this activity. But is it really a good idea? What are the risks and advantages?
Find the answers to these questions and get to know the Data Protection Officer and their responsibilities as per LGPD regulations.
The DPO is an individual or legal entity established within Data Protection Policies as one of the agents involved in the processing and use of data subjects' information. Thus, their role is of utmost importance.
They can be either an individual or a legal entity. However, they cannot correspond to a department or team within the company. After all, documents related to data collection and processing must specifically indicate who is responsible as the DPO.
### Learn more about the roles of data controller and data processor in LGPD
The DPO's functions lie in mediating the relationship between data subjects, the data processor, and the National Data Protection Authority (ANPD).
They do not necessarily make decisions regarding data and its use. However, they assist in following and complying with the guidelines imposed by the data controller and the General Data Protection Law. Another one of the DPO's responsibilities is to provide guidance to employees who have access to third-party data, instructing them on how to adhere to LGPD guidelines and the consents that have been granted.
### Their role is to educate, organize, and audit in accordance with ANPD regulations.
Some of the main activities that a DPO, whether outsourced or not, may perform include:
- Handling data subject complaints, providing clarifications, and taking necessary actions;
- Receiving communications from ANPD and taking appropriate actions;
- Handling consent revocations or changes in consent and taking appropriate measures;
- Ensuring the application of LGPD principles regarding personal data processing;
- Monitoring organizations' compliance with the General Data Protection Law, etc.
Thus, the DPO serves as an intermediary, mediating relationships and being one of the agents responsible for ensuring compliance with LGPD.
Anytime a company or organization desires, they can outsource these services. The law does not require the DPO to be an internal employee. In fact, it does not even require the DPO to be an individual.
Therefore, any self-employed professional or company that provides services in this area can offer services to other companies. This involves the establishment of a service provision or outsourcing contract.
In the case of hiring an external person as a DPO as a service (DPOaaS), a service provision contract is established directly with the professional.
On the other hand, when a company is hired, there is an outsourcing of the DPO. The entity determined as the DPO within the Privacy Policies is the legal entity.
It provides professionals who will perform the typical duties of a DPO. However, they provide this service to a company due to their employer's hiring.
To determine whether outsourcing the LGPD DPO is worthwhile, it is necessary to consider the advantages it offers. Here are some of the main advantages:
First and foremost, it is essential for companies, organizations, and websites to have a clear determination of who the DPO is in order to comply with the LGPD. Currently, all companies must have one, although there are indications of a potential limitation of this requirement in the future.
In this regard, note that it is not always easy to hire someone with the necessary knowledge for this role or to train them to fulfill the duties of a DPO. Therefore, compliance can be more rapid and straightforward through the outsourcing of such services.
Once a qualified professional or even a company with multidisciplinary knowledge for the role is found, the adaptation process becomes much faster. This is because each company and market has its own specificities.
Every new area and law requires extensive study and is subject to various short-term changes. Therefore, outsourcing this role also means outsourcing the responsibility of staying up-to-date and investing in the professionals' training.
Roles involving oversight and audit can sometimes create conflicts with departments and even managers. It is essential for the DPO to have autonomy in their work and even stability, as prescribed by the law. After all, they cannot be threatened with job loss for overseeing processes within the company. Therefore, outsourcing this responsibility can lighten the organizational atmosphere.
Just like any service provider, working with a contract makes it much easier to replace them compared to a full-time employee. Therefore, having a DPOaaS as a legal entity provides much more flexibility in case adjustments or replacements are needed over time.
Labor and social security charges are quite substantial in Brazil. Hiring a legal entity for this role can lead to reduced costs for the company while increasing the remuneration of the service provider.
ATTENTION: It is important to note that, regardless of how responsible a service provider may be for their role, they are still under the hierarchy of the employer. Therefore, ultimate decisions may be the responsibility of the company's administrators, even when using DPOaaS. Be cautious not to rely on outsourcing as a means of avoiding responsibility.
The same applies when the company does not appoint a DPO; the ultimate responsibility falls on the managing partners. When appointed, the professional acts on behalf of the company and its representatives before the national authority.
### Do you know the difference between Data Mapping and ROPA in LGPD?
Another interesting aspect of outsourcing the DPO is that this way, you can have an expert in the field. As mentioned above, it is not your company that is responsible for the training; it is the hired professional or company.
This ensures even greater security for operations to comply with LGPD and be in the hands of experts. It is even better when the professional is part of a network or multidisciplinary group that can assist with the specificities of your business and market.
In this case, the functions are the same as those of an internal DPO. After all, outsourcing only refers to the possibility that the activities are carried out by an external agent to the company.
As mentioned above, this agent can be a legal entity or a natural person. Either way, they must be specifically identified within the Privacy Policy and other documents related to consent, use, and data processing.
Any changes regarding who is responsible as the LGPD DPO must be reflected in policy changes. Failure to do so would result in a violation of the General Data Protection Law and the creation of risks such as fines and even suspension of databases.
Want to learn more about the responsibilities of a Data Protection Officer? I've prepared this article for you!
Tags
Related posts
The Differences Between Data Controller and Data Processor - LGPD
Now that we have the data flow within your company, we need to highlight 2 aspects of LGPD that will help you determine the extent of your responsibility in relation to the many points listed in the company. I'm talking about the difference between Data Controller and Data Processor.
What are Terms of Use and their importance for the LGPD?
Ignoring Terms of Use and their significance within a website, particularly now with LGPD, is a common mistake that both consumers and website owners frequently commit.
Data Protection Officer and LGPD, a Solitary or Teamwork Job?
How do you deal with a profession that didn't even exist a few years ago and is now mandatory in companies? That's precisely the question that arises when we think of the figure of the Data Protection Officer or DPO.
Why Give Consent on Every Website I Visit?
Have you ever noticed that every time you sign up for a service to access information or register on a website for purchases, you need to give consent? If you're wondering why you have to give consent on every website you visit, you'll find the answer here.
Google Consent Mode : Guide du Débutant à l'Avancé.
Avec la prolifération des lois sur la vie privée dans le monde, Google (Alphabet) s'est enfin trouvé obligé d'ajuster ses outils pour être conforme aux nouvelles législations telles que le GDPR, le LGPD, le CCPA, le PIPEDA, le DPDPA, etc.
Google Consent Mode: Guía de principiante a avanzado.
Con la proliferación de leyes de privacidad en todo el mundo, Google (Alphabet) finalmente se ha visto obligado a ajustar sus herramientas para cumplir con nuevas legislaciones como el GDPR, LGPD, CCPA, PIPEDA, DPDPA, entre otras.
Understand the meaning of the LGPD for your company
Surely you've already seen the predictions of fines and sanctions, processes. But, what does it mean to your company?
10 Marketing Processes You Should Rethink under the LGPD!
In the end, our goal has never been to predict doom for companies or to be part of the LGPD's Apocalypse Cavalry. But, since we've been in the market for some time, these kinds of issues always catch our attention when we start data mapping and having conversations with colleagues.
Best practices in tag categorization
It's time to talk about one of the most impactful tasks, both for the company and for the visitors of your websites: tag categorization. But why is it so impactful? What is the relevance of this configuration and how can it affect us? It is precisely because of these common questions we receive from our clients that we have written this article on best practices in tag categorization.
What is the difference between cookies, local storage, and session storage?
Despite cookies being more well-known, what is the main difference between cookies and session storage and local storage? Why choose one over the other? This article will help you with these doubts!
GDPR, LGPD, and CCPA: What Are These Laws, Similarities, and Differences
LGPD, GDPR, and CCPA are data privacy regulations. In this article, we discuss their similarities and differences for practical application.
Data Mapping or Data Inventory - a life jacket for the DPO!
With the data mapping we have a clear understanding of the 5 stages that every data goes through in a company.
What is a privacy policy?
While it's not exactly breaking news, discussions about privacy policies have been popping up more frequently since the start of GDPR in Europe. And despite it seeming coincidental, it's not!
Responsibilities of a data protection officer.
Drawing an analogy from the world of soccer, we can think of the DPO as the "midfielder" of the team, responsible for connecting the defense and the attack.
ROPA in LGPD? Get to Know the Records of Processing Activities.
Brazilian LGPD - General Data Protection Law brought with it several acronyms and specific terms. Many of them are imported from other countries and regulations. One of them is ROPA (Record Of Processing Activities), adapted in Brazil to Registros das Atividades de Tratamento. An essential document for any DPO, Data Processor.
What is Privacy by Design?
With it, all companies that collect personal data such as email, name, phone number, among others, must be attentive to its guidelines and obligations. With the arrival of new laws, some terms begin to stand out, one of them is Privacy by Design, learn more in this post.
AdOpt
Resources
Legal Terms
© GO ADOPT, LLC since 2020 • Made by people who love
🍪