*Julie Caroline Oliveira
This article aims to provide a brief explanation of the General Data Protection Law, better known as LGPD, and to mention some of the measures that companies must take to comply with it, focusing on the importance of choosing a person responsible for data protection in the organization, known as Data Protection Officer or DPO (Data Protection Officer).
Abstract - This article aims to present a brief on the General Data Protection Law, better known as LGPD, and to mention some of the actions that companies must take to comply with it, focusing on the importance of choosing a person responsible for data protection in the organization , known as Data Protection Officer (DPO).
With the approval of the General Data Protection Law (Law LGPD - nº 13.709 / 18) in August 2018 and effective in September 2020, companies found themselves faced with the need to adapt to the new standards. As a brief description of what the law is about, it has application to any person, whether physical or legal, who performs the processing of personal data of a natural person, whether that treatment is digital or not.
Thus, it can be said that the law covers a large part of business projects and activities. Therefore, it is essential that companies have their processes and policies in accordance with the new legislation, avoiding fines and penalties that can compromise finances and even the organization's image in the market. To avoid these possible problems, some measures must be adopted, among them, the definition of the Data Protection Officer.
Data Protection Officer
The LGPD implements the application of severe sanctions for those who do not comply with the provisions, for this reason, the adequacy of companies is extremely important. The National Data Protection Authority (ANPD) must observe, in the case of the application of a sanction, not only the category of the affected data, but also the measures, mechanisms and internal procedures previously adopted by the company, demonstrating the great need for adequacy and implementation of good governance, security and prevention practices. It is important to note that each business segment has its particularities that require, therefore, targeted analysis. However, the law implies a practically mandatory measure: the definition of a Data Protection Officer.
The Data Protection Officer or DPO, short for Data Protection Officer, is the person responsible for assisting companies that process personal data in relation to the fulfillment of their legal obligations regarding privacy. According to the LGPD, in its article 41 § 2, the activities of the DPO consist of:
- accept complaints and communications from holders, provide clarifications and take action;
- receive communications from the national authority and take action;
- advise the entity's employees and contractors on the practices to be taken in relation to the protection of personal data; and
- perform the other attributions determined by the controller or established in complementary norms.
In addition, the DPO will be responsible for bridging the gap between the company, the National Data Protection Authority (ANPD) and the data subjects.
Therefore, it is observed that this new position is a demonstration of the company's commitment to the rights of the holders and to the compliance to the new legislation, therefore, the choice must be judicious and consider the risk profile of the company.
Defining a DPO
After the changes made by MP No. 869/188, converted into Law 13,853 / 19, the DPO no longer needs to be a natural person, making room for the possibility of the execution of the DPO tasks by legal entities. Thus, it is currently possible that this is an employee of the controlling company (natural person) or a third service provider (legal person). However, what would be the best option?
The DPO needs to have technical and legal knowledge, be able to closely monitor the entire information lifecycle and assist all teams in the organization with data protection and privacy issues. Thus, the cycle of internal naming, learning and practice can be difficult and time-consuming, leading several companies to choose to outsource this service.
DPO as a Service it is one of the options made available, bringing flexibility and cost reduction for companies. Some other advantages are the hiring of independent DPOs, without conflicts of interest; access to a team of specialists to keep the company always up to date with the latest and best practices regarding the law; flexible service according to your business needs; among others.
However, companies need to be aware that protection and privacy of personal data are mandatory issues for business continuity and not something that should be considered just to comply with the law during the year it came into force. In this case, aiming to add, effectively and in the long term, to the culture that should be adopted for the evolution of the business, the service known as Assisted operation.
This service offers specialized advice on data protection, enabling the company to choose an internal DPO that will obtain the necessary knowledge to support the activities and duties of this position. It is extremely important that measures for data protection are adopted from the idea of projects, products and / or services, aiming not only to meet the validity of the LGPD, but also to meet all demands for protection and privacy in the long term. Thus, when hiring Assisted Operation, the company will, in fact, be investing in its own future, once it acquires the necessary knowledge in terms of privacy and data protection.
However, it is worth mentioning that the DPO needs to be fully independent to prioritize issues related to data protection, without generating conflict with its other functions or tasks. And that the importance of this professional does not eliminate the need for the formation of a Multidisciplinary Committee for Data Protection and Privacy that supports the DPO in the demands of data protection in a broad way, covering all areas of the organization.
As presented in this article, the Data Protection Officer or DPO is a new figure in the organizational environment of extreme importance, as it is he who will assist the company in matters of protection and privacy of personal data, aiming to comply with the legislation, avoiding large financial losses, both due to fines imposed by law and due to organizational image tainted by the lack of safe treatment of the personal data of its employees, customers, suppliers and others.
Therefore, the ideal is that companies create a culture of data protection and respect for privacy, so that this becomes a constant in the business, the famous idea of “privacy as a standard” applied to practice.
* Julie Oliveira is GRC and Information Security Consultant at [SAFEWAY]
SAFEWAY is an Information Security company, recognized by its customers for offering high added value solutions, through Information Security projects that fully meet the needs of the business. In these years of experience, we have accumulated, with great pride, several successful projects that have earned us credibility and prominence in our clients, which constitute in large part, the 100 largest companies in Brazil. Today through more than 22 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology, process and people solutions.