Library

Data Protection Officers in brazil: professionalism with a Brazilian twist

by Filipe Fonteles Cabral

October 02, 2021

Share

The curtains have opened, now it’s for real. On 1 August 2021, the fines and other administrative sanctions set out in the LGPD – General Personal Data Protection Law – came into effect. On stage, under the spotlight, are the Data Protection Officers – professionals required by the new Law, following international standards for privacy governance, but who on Brazilian soil have been specially seasoned – and this is not necessarily a bad thing.

Data Protection Officers, in the imported jargon, or simply DPOs are professionals who are responsible for personal data protection matters in organisations (whether businesses or public bodies). They are who receive and forward complaints from data subjects, interact with the ANPD – the National Data Protection Authority, guide employees and implement internal privacy policies, among other duties.

In international practice, this role is performed by professionals with in-depth knowledge of privacy issues, both from a legal and technological point of view, as the two fields converge when the subject involves the handling of personal data. It is a profession that emerged about two decades ago (the International Association of Privacy Professionals – IAPP, the largest entity in the sector, was founded in 2000), which brings together people who are 100% dedicated to studying and implementing the subject, such is the responsibility of their occupations and the need for keeping constantly up to date.

In Brazil, a curious scenario is observed: in corporate structures, the role of the DPO has been delegated to former employees, in general leaders from areas such as Legal, IT or Compliance, who have taken on the new position in addition to their old duties. They are highly accomplished professionals, but with little or no experience in personal data protection, with the exception of courses taken on the fly.

It is not forgotten that many corporations have chosen to hire professional DPO services provided by law firms or specialised consultancies, or have incorporated exclusively dedicated certified professionals into their organisation, especially in sectors that deal with large data flow in their core business. However, the number of DPOs established as “home-made solutions”, performing different functions, in medium and large-sized business structures is striking.

With the entry into force of the LGPD penalties, on 1 August, at any time these professionals will be subject to the scrutiny of attentive evaluators, who act on behalf of the community or their own behalf, including the National Data Protection Authority, the Federal Public Prosecutor, the National Consumer Secretariat (SENACON) and, of course, over 200 million Brazilians who are data subjects.

The anxiety is great and understandable. The LGPD sets out fines of up to R$50 million, suspension of the use of databases and, in milder cases, warnings. There has been news of the filing of hundreds of lawsuits dealing with personal data protection even before the penalties come into force, which makes the business risk associated with the subject unmistakable.

In this scenario of novelties and uncertainties, the question “did we get our DPO right?” will arise during executive board coffee breaks. The answer is yes.

In a country culturally attached to improvisation and socially resistant to formal norms, the local player may have more chances of success than the outsider in the effective implementation of personal data protection governance. Here, the experience that will make the difference is knowledge of internal processes and empathy with area leaders, rather than mastery of the LGPD articles.

Naturally, such last-minute DPOs will need to draw on the legal and technical expertise of third parties in carrying out their activities. They must, without a doubt, rely on market professionals capable of keeping track of new ANPD resolutions in real time, the judicial interpretations that are beginning to be formed and the good governance practices developed internationally. But, at the end of the day, cultural change will need to be effectively implemented in the organisation, as revised policies and processes that are not used in practice are of no use.

Privacy is a very serious issue and must be treated as such, under penalty of severe sanctions and incalculable risk to reputations. Instruments for personal data protection governance are not off the shelf. They must be tested, adapted to the reality of the corporation and periodically reviewed. All this with the support of experts, but on behalf and on the order of who will be able to internalise such changes.

Thus, we have created a professional worthy of applause. The DPO with a Brazilian twist.

Share

Filipe Fonteles Cabral

Partner, Lawyer, Industrial Property Agent

read +

related posts

search