Since the sanction of the LGPD in August 2018, through the approval of Provisional Measure No. 869/2018, until the conversion of the MP into law (Law No. 13.853/2019), the Data Protection Officer (DPO) role has gone through some twists and turns, such as the possibility of the DPO being an individual or legal entity, and the requirement of having regulatory legal knowledge.
Therefore, this brief article aims to provide some clarification regarding this crucial role in the context of data protection. Job vacancies have indeed arisen, but along with them, the responsibility and demands of the market!
In the definition of Article 5, item VIII, of the LGPD, the DPO is the "person appointed by the controller and operator to act as a channel of communication between the controller, data subjects, and the National Data Protection Authority (ANPD)."
Drawing an analogy from the world of soccer, we can think of the DPO as the "midfielder" of the team, responsible for connecting the defense and the attack. Visually, we have:
Thus, the DPO is the figure responsible for mediating the dialogue between the controller and the data subject or between the controller and the ANPD, accommodating their needs and interests.
Among their various responsibilities, all outlined in Article 41, § 2 of the LGPD, the DPO's activities consist of:
_I - accepting complaints and communications from data subjects, providing explanations, and taking action;
II - receiving communications from the national authority and taking action;
III - guiding employees and contractors of the entity regarding practices to be taken regarding the protection of personal data; and
IV - performing other duties determined by the controller or established in complementary regulations._
To fulfill these responsibilities, the DPO must master data mapping techniques, identifying all possible sources of collection, as well as controlling the data's lifecycle, i.e., how it will be stored and used, with whom it will be shared, when and how it will be deleted.
Another fundamental aspect for the DPO to truly fulfill the role that the LGPD proposes is autonomy in decision-making power and the exercise of oversight of internal company processes. Naturally, as a professional hired by a particular company to act according to its interests, the DPO will have a degree of subjection to the guidelines of their employer. However, this should not compromise their position as an intermediary between the data subject and the ANPD.
In conclusion, it is worth considering that although the current wording of the LGPD no longer requires the DPO to have regulatory legal knowledge, knowledge and, above all, mastery of the LGPD and other applicable regulations in the context of personal data protection are essential for the effective performance of the DPO's functions. This is especially true because the LGPD should not be analyzed in isolation but always within the context of the market and the company's regulations seeking compliance.
Nevertheless, the growing concern of entrepreneurs regarding the LGPD is natural. After all, Brazil is an extremely complex country for entrepreneurship, and every new regulation brings uncertainty and instability to the game.
ABOUT THE AUTHOR:
Dânton Zanetti is a lawyer, founding partner of Zanetti, Oliveira & Machado Sociedade de Advogados (www.zomadv.com), working in the areas of Business Law, Contract Law, and Digital Law, with a Master's in privacy and data protection.
In this article, we will answer all your questions regarding fines under the LGPD (Brazil's General Data Protection Law).
Every day, millions of users generate data on the web, which is used by companies around the globe to improve their offerings. Therefore, in 2018, a law was created to regulate the use of personal data by companies, and this directly impacts digital marketing. We're talking about LGPD.
LGPD is in effect. Despite that, there are still many companies ignoring it, but is that possible? How long can we ignore LGPD?
Sad, but this story is more real than you think. It all started with a "surprise" fine. Ever imagined everything crumbling around you? All because of a fine, an invoice that came "out of nowhere"? Your bank account, clients, your job, your car loan, marriage...
Those who do not operate in accordance with LGPD's provisions risk facing penalties ranging from warnings to the suspension of their website, databases, and hefty fines.
Have you ever noticed that every time you sign up for a service to access information or register on a website for purchases, you need to give consent? If you're wondering why you have to give consent on every website you visit, you'll find the answer here.
Surely you've already seen the predictions of fines and sanctions, processes. But, what does it mean to your company?
In the end, our goal has never been to predict doom for companies or to be part of the LGPD's Apocalypse Cavalry. But, since we've been in the market for some time, these kinds of issues always catch our attention when we start data mapping and having conversations with colleagues.
It's time to talk about one of the most impactful tasks, both for the company and for the visitors of your websites: tag categorization. But why is it so impactful? What is the relevance of this configuration and how can it affect us? It is precisely because of these common questions we receive from our clients that we have written this article on best practices in tag categorization.
Now that we have the data flow within your company, we need to highlight 2 aspects of LGPD that will help you determine the extent of your responsibility in relation to the many points listed in the company. I'm talking about the difference between Data Controller and Data Processor.
Despite cookies being more well-known, what is the main difference between cookies and session storage and local storage? Why choose one over the other? This article will help you with these doubts!
LGPD, GDPR, and CCPA are data privacy regulations. In this article, we discuss their similarities and differences for practical application.
With the data mapping we have a clear understanding of the 5 stages that every data goes through in a company.
While it's not exactly breaking news, discussions about privacy policies have been popping up more frequently since the start of GDPR in Europe. And despite it seeming coincidental, it's not!
Brazilian LGPD - General Data Protection Law brought with it several acronyms and specific terms. Many of them imported from other countries and legislations. One of them is ROPA (Record Of Processing Activities), adapted in Brazil to Registros das Atividades de Tratamento. An essential document for any DPO, Data Processor.
© GO ADOPT, LLC since 2020 • Made by people who love🍪