With the advent of the new data protection laws in Brazil and in the world, new institutions, markets and even professional attributions are arriving. And in a context of great technological revolution, which has been introducing many transformations in the business world as well as directly impacting the way the companies manage the big volume of information/personal data, there comes the Lei Geral de Proteção de Dados –LGPD (Law 13.709, 2018), inspired by protection regulations already existing in other countries, for example, the European General Data Protection Regulation – GDPR.
It was created, in both regulations, the figure of the Data Protection Officer – DPO, a name given by the GPDR, or Encarregado, a name brought by the LGPD. The DPO or Encarregado plays a fundamental role inside the organizations, because through its performance, it is assured the guarantee that the organizations are in accordance with legal norms and the good practices in the sector.
Every organization that deals with personal data should indicate a DPO or Encarregado besides making this nomination public, unless there is a dismissal by the Agência Nacional de Proteção de Dados – ANPD. We list below the main attributions of this new professional profile:
- To be a link between the controller, the data holders and the Autoridade Nacional de Proteção de Dados – ANPD;
- To be the guarantor of the implantation of the data protection culture within the organization;
- To be responsible for receiving complaints and communication from the holders, to provide clarification and to adopt inside measures in order to meet the requests;
- To receive national authority’s communication and adopt inside measures to meet the regulatory determinations;
- To orient the entity employees and partners/contractors about the practices to be taken in relation to personal data protection;
- To execute the other attributions determined by the controller or established in complementary norms.
It is worth highlighting that, apart from the listed attributions, the ANPD will also be able to establish complementary norms about a definition, the Encarregado’s attributions, and its dismissal, depending on the entity nature and size, or else, the volume of data processing operations.
Other questions that deserve to be highlighted for the company adequacy to the LGPD, although not listed as the Encarregado’s direct responsibility, are related to other kinds of the controller’s obligations and data operators: i) inside processes revision; ii) elaboration of policies for data protection; iii) elaboration of policies for privacy, policy for cookies and policy for data retention; iv) treatment activity register; v) impact analysis about Proteção de Dados (AIPD), among others.
In view of the various functions and responsibilities related to the Encarregado’s performance, it arises in the specialized consulting model about data protection, the hiring of DPO asS advisory (Data Protection Officer as a service).
The consulting in the DPO asS model becomes more efficient, practical and with the least cost for the companies. We bring here only some of the benefits for the companies in the hiring of this advisory model:
- Salary and labor benefits cost reduction;
- No need for equipment or physical space allocation;
- Cost elimination with the Encarregado’s training and certification;
- Risk extinction of an interest conflict related to the Commissioner;
- The consulting provides a specialized team with experience in many companies from different segments;
- The company becomes free to keep the focus on its main business, and,
- No need for an alternate encarregado/employee to cover the commissioner’s vacation or leave.
And before the highly dynamic scenery for 2021, with countless changes required from companies for a compliance to the various laws that rule the issues which permeate privacy and individuals’ data protection, the hiring of this advisory will be a differential element for the success of company projects.
The CTA/ECIJA TMT team is at your disposal for further clarification, informing that they have an extensive experience in the provision of services concerning the compliance to the norms of privacy and data protection.
Anna Luiza Pires e Albuquerque de Berredo
Cristiane Sanches de Souza Corrêa
Rosana Pilon Muknicka