By Leonardo Neri 

The General Data Protection Law (LGPD) came into force on September 18, 2020, and brought within its sixty-five articles the obligation for controlling companies to appoint a Data Protection Officer, or DPO – Data Protection Officer, the English term for the position that has also been mandatory in Europe since May 2018.

The mandatory and essential nature of creating and maintaining a new position within data controller companies has increased the interest of those seeking to exercise a new, promising activity that still has a shortage of professionals.

The Data Protection Officer will act on several fronts, being responsible for mapping and recording the flows of personal data processing by the controller, implementing adequacy procedures by all sectors involved in the processing of personal data, in addition to promoting interaction between the company and data subjects and the competent regulatory body.

To this end, the DPO will have its contact information publicly disclosed by the controlling company, preferably on its website, in order to enable its action as an intermediary in said communication between the organization, data subjects and the National Data Protection Authority (ANPD).

In addition, the DPO will also act internally, adopting measures necessary for the implementation of adjustments by the company to ensure the protection of personal data. In general, the DPO has the important task of managing the trajectory of personal data within the organization.

As main duties, the DPO must:

1. i) Accept complaints and communications from data subjects, provide clarifications and take action;
2. ii) Receive communications from ANPD and take action;

iii) Guide employees and contractors of the controlling company regarding the practices to be adopted in relation to the protection of personal data;

1. iv) Perform other duties determined by the controller or established in supplementary standards;
2. v) Formulate good practice and governance rules including procedures such as:

(vi) Complaints and petitions from holders;

(v.ii) Safety regulations and technical standards;

(v.iii) The specific obligations for those involved in the processing; and

(v.iv) Educational actions.

1. vi) Inform and advise the data controller and its employees about their obligations regarding data processing;

vii) Inform and advise the data controller and its employees about their obligations regarding data processing;

viii) Provide advice on data protection impact assessment and monitor implementation;

1. ix) Cooperate with Public Authorities in matters relating to data protection;
2. x) To be the contact channel with the Authorities regarding data processing;
3. xi) Monitor the processing agent’s compliance with the LGPD to:

(xi.i) Assessment of compliance of procedures with the principles of the LGPD, especially prevention, security and accountability;

(xi.ii) Analysis of minimum technical standards;

(xi.iii) Implementation of the Privacy by Design on the parent company's branded product;

(x.iv) Monitor the mapping of data processing activity records;

(xi.v) Viewing the scope of personal data processed by the agent;

(xi.vi) Constant review and updating of information and procedures;

(xi.vii) Identification and documentation of the specific purposes of data processing;

(xi.viii) Preparation and maintenance of an inventory of treatment records;

(xi.ix) Determination and documentation of the legal basis for each processing activity;

(xi.x) Documentation of any requirement for consent and registration of obtaining it from the holder;

(xi.xi) Assessment and identification of activities that pose risks to holders;

(xi.xii) Implementation of controls on the processing of personal data before third parties; and

(xi.xiii) Joint controllers, identify and determine individual responsibilities.

It is important that the Data Protection Officer carries out his/her activities with full autonomy and full access to information, also acting as an inspector of the acts carried out by the controller, in defense of the protection of the data subjects' data.

The DPO, however, is not responsible for the company's failure to observe recommended procedures for protecting personal data.

In this area, the LGPD enables the emergence of the product on the market “DPO as a Service”, which is nothing more than a consultancy that provides the service of Data Protection Officer in controlling companies through a legal entity, which serves more than one controlling company simultaneously.

This business model enables a diversification of the service provided by the same legal entity, contributing to a more appropriate cost-benefit for the controlling company, which can better measure the workload required to meet demand with its current reality, and benefits from a more comprehensive service, since it is also spread across other companies, or even sectors of the economy, generating greater experience for the provider in the area of data protection, in accordance with the practical precepts of the new General Data Protection Law.