Data Protection Officers: who they are, what they do, and their importance

The names vary — in English, they are called data protection officers (hence the abbreviation DPO). In Portuguese, "encarregado de dados" (literally translated as "data supervisor"). But they are also known as data protection executive. Regardless of the nomenclature, we are talking about the same thing: the new professional who has gained prominence in Brazil after the approval of the law known in Portuguese as the Lei Geral de Proteção de Dados (LGPD), which, in turn, imported the concept from the European General Data Protection Regulation (GDPR).

For many people, the role of the DPO is still unclear — we assure you, however, that there is no mystery to it. In summary, the data protection officer is the employee responsible for supervising the entire personal data processing procedure within the company, providing guidance on best practices regarding the privacy of sensitive information, and serving as bridge between the enterprise and the Brazilian National Data Protection Authority ("ANPD" in Brazil).

The LGPD created a series of obligations for Brazilian companies. The use of personal information can only take place for specific purposes and under conditions authorized by law. In addition, civilians have acquired a number of rights, including the possibility of consulting, rectifying, transferring or even requesting the full deletion of their data within a legal timeframe. Companies that do not comply with these rules are subject to a series of penalties, including fines of up to R$ 50 million (approx. US$ 9.5 million).

The responsibilities of the DPO

And this is where the need for a data protection officer arises. The DPO is a professional who, above all, has ample knowledge of the LGPD (this is why most hold Law degrees, although this is not a rule) and also vast experience in Information Security. With these two areas of expertise, the DPO ensures everything is in order and that compliance with the law is guaranteed.

But what exactly does ‘everything in order’ mean? Well, the DPO must oversee absolutely everything that involves personal data within the company. These functions include:

• To map out all the data that come in and are stored, even the data that, at first, appear to be “invisible” because they are not part of the enterprise's core business;

• To ensure that the data collection, storage and processing procedures are in accordance with LGPD regulations, with a very clear tool of consent in place when necessary, and without committing any personal data abuses;

• To develop and update a clear privacy policy, which demonstrates and explains to the data subjects, in the most accessible way possible, how and for what the data will be used;

• To answer data subject requests, ensuring that they are able to exercise all the rights mentioned above;

• To promote a culture of privacy throughout the company, encouraging minimal data collection, ensuring their anonymity, and occasional participation in awareness programs, so that all corporate processes incorporate the “privacy-first” mentality.

Before the ANPD

Of course, responsibilities do not stop there. We all know that, even with investments and efforts in information security, incidents can happen — including the much-feared data leaks. In the event of such an incident, it is the DPO who bridges the gap between the company and the Brazilian National Data Protection Authority, as well as any other competent body that may become involved in the investigation.

Because of this, it is also crucial that a good DPO have excellent interpersonal communication skills, know how to handle crises, and be able to manage routine problems related to the correct processing of data. It is a profession that is on the rise, for which there are already several certifications, and for which a growing demand is expected over the next few years.

Article translated from: DPO: o que é, o que faz e qual a importância do encarregado de dados — Perallis Security