LGPD DPO Requirements: Guide to the Brazilian Data Protection Law
The Lei Geral de Proteção de Dados (LGPD) is a law passed in Brazil in 2020 to enhance the data protection of Brazilians. It's the first-ever law made to protect users' data privacy in Brazil and is overlooked by the ANDP.
This article will cover an overview of the LGPD and define what a data protection officer (DPO) is. I will also explain the important role of data protection officers and the requirements of becoming one, along with the specific duties of a DPO.
Let's dive in.
- A data protection officer (DPO) is generally required for businesses, especially for major businesses with a high data security risk.
- A DPO must carry out a wide variety of data management-related tasks. Their goal is to ensure that the business follows the guidelines of the LGPD.
- Becoming a DPO is not easy. It requires a well-skilled person in many different technical and management scenarios.
An Overview of LGPD
The LGPD was made to combine and unify 40 prior laws with the purpose of regulating the processing of personal data. The LGPD is a response to combat businesses that take users’ data without consent and use it in a way that could potentially harm the user.
These laws contain articles on how data processing is handled among businesses regarding people’s personal data. It was implemented to protect Brazilian citizens by allowing them to have more control of their data and for businesses to be more compliant while doing so.
The law makes it so that whenever a data controller (business) handles personal data, the data subject (individual) has to consent. Additionally, consumers can now access their data and request to have it changed or deleted at any given time. Businesses must now also report data breaches and data being shared.
The rules and regulations of LGDP are very similar to the General Data Protection Regulation in Europe (GDPR). There are some differences in key principles between the two regarding how data protection laws are ruled and justifications for data processing and data privacy.
The LGPD offers fundamental rights to all its Brazilian citizens and visitors. This scope includes any person, public, or private legal entities that process the data of Brazilians. It's important to know that this data law will protect everyone in Brazil.
All businesses within the jurisdiction of Brazil must comply with the LGPD data protection law. So, businesses that deal with Brazilians must select and appoint a data protection officer on the legal basis that it will be trusted to monitor how a business handles personal data and data processing.
It’s also worth noting that the LGPD data protection law exempts those who are data processing for personal purposes, such as journalistic, artistic, academic, or national security.
What is a Data Protection Officer?
A data protection officer is a person whose primary role is to monitor how a business manages its data processing. Their goal is to protect the personal data of the stat subject’s customers and employees.
Data protection officers provide compliance services for businesses to help implement the LGPD guidelines and ensure data subjects' rights to manage their personal data. They would also be in charge of handling and addressing data subject complaints.
They work closely with data controllers (businesses) and monitor their data processing and performance.
DPOs document these processes and use documentation to develop ways to help streamline processes that are in compliance with consumers.
Data protection offers must avoid conflicts of interest when making decisions about data processing. A decision must not be made for personal gains, or otherwise, they would be held accountable by the national data procession authority and may face criminal charges.
A successful DPO will ensure a business operates data protection under the mandates of the LGPD. Businesses should work closely with a DPO to follow the legal basis that could otherwise lead to breaking laws that would result in major lawsuits.
Is a Data Protection Officer Required Under LGPD?
According to Article 11 of the LGPD, small-sized processing agents do not require a DPO. Despite not being necessary, it is still encouraged to have a DPO or someone in charge of data processing to avoid potential lawsuits and data privacy breaches.
Major businesses or businesses that process a lot of data, on the other hand, are expected to have an official DPO appointed under the data protection law. A major business that processes data at a large scale or processes sensitive data must have a DPO appointed. If a business fails to have anyone anointed, it will have to deal with legal consequences, especially if they were breached.
A DPO can be either an employee of the business or an external contractor. They can also be in the form of a sole individual or an organization specializing in compliance, like Captain Compliance.
LGPD DPO Requirements
Becoming a DPO requires one who is an expert on current data protection laws. They must understand how data processing operates within a business and understand the fundamental rights of each person.
Due to the nature of this position, a DPO must also demonstrate a wide variety of skills. These range from technical to communication and an obligation to follow the law of data protection. Below are some requirements that all DPOs should have:
Stay Up to Date with Data Privacy Laws
Knowing the current laws is a requirement for data protection officers so that they can mandate how a business runs its data processing on a legal basis.
This is essential because compliance laws are always changing, and staying ahead of the curve will help you stay compliant.
Operational Risk Management
A DPO’s responsibility is to help a business avoid risks that could cause a breach of data privacy. Having knowledge of information security is required. This should be indicated by prior experience or a certain educational standard.
IT and Computer Science Skills
A Data Protection Officer must possess a significant understanding of IT and computer science due to the nature of their job.
They need to understand how data is gathered, stored, and utilized within a system, as well as what implications each of those processes may have. Being able to interpret data, algorithms, and coding will be a key part of their role due to its link with validating lawful information-gathering techniques from customers.
They should also possess system administration skills and the understanding that comes along with it, such as familiarity with how networks interact.
Data Analytics Knowledge
Interpreting the different trends and changes in data flow is mandatory for a DPO. They must be able to spot unusual activity.
DPOs need to have effective communication skills. They will be required to break down concepts and data information into simpler terms during meetings. They will also be communicating on a mass scale to both public and private entities.
Ability to Perform Duties Independently
All DPOs must not be involved directly in tasks influencing how personal data is processed within a business. They are required to give feedback and analyze the situations to encourage a business to change its ways if there is a risk of a personal data breach.
Clear Communication With The National Data Protection Authority (ANDP)
All DPOs are required to report to the ANDP when they believe that there has been a violation of data protection law.
LGPD DPO Duties
LGPD DPOs will have many duties within their business. Their role is to ensure that the business follows strict guidelines that comply with the LGPD data protection laws. Outside of protecting the business, they must also consider the safety and rights of the individual’s data privacy that the business contains.
Every task a DPO does is very important to the safety of the consumer’s personal data. A DPO has many duties, all of which are important to data safety and privacy. Below are all the specifics of a DPO duty in detail:
Ensuring Data Protection Compliance
The DPO is responsible for making sure that the business complies with all aspects of the LGPD data protection laws. DPOs must be observant of the business policies and ensure that procedures are in place to meet the LGPD requirements by coming up with new compliance solutions.
Risk management assessments are another duty that the DPO is responsible for conducting. They are in charge of doing thorough research, intensifying high-risk data processing activities, and implementing procedures to help mitigate the risk of personal data breaches.
Part of the responsibility of the DPO is to bring awareness of the LGPD data protection law. They assist in training employees and help implement data policies and compliance procedures, ensuring that they reach consent with the consumers.
Part of the analytics side of being a DPO is documenting everything that can observed. It is required of the DPO to document data processing activities and other types of data-related tasks to ensure that they align with the LGPD requirements. DPOs use records of processing activities (RoPA) to document activities in a business.
Offer Management Advice
The DPO will often be approached to be given advice by higher-up management. A successful DPO will do research and be prepared to report to the higher-ups and explain what they should do to improve compliance plans within the boundaries of the Brazilian data laws.
Report Data Privacy Breaches
Whenever a breach of data privacy occurs, the DPO must report it to the national data protection authority. It needs to be reported whether the business gives consent or not. Not reporting any indicents is considered a felony under the LDPD data probation laws.
Who Can Be a Data Protection Officer?
Becoming a DPO is not a job title that anyone can have. It requires an individual who is versatile in many skill sets and must meet many qualifications, which often takes many years of education and work-related experience to achieve.
Most organizations prefer that the individual has a master's degree. The fields of study must pertain to technical fields, such as cyber security or risk management. In addition, organizations also strongly prefer that the person has at least five years of a positive track record in work experience.
The most successful DPOs are individuals who exhibit characteristics of curiosity. They must be curious and innovative by nature, as most of the work involves thinking about the outside of the box to address solutions.
They also need to be analytic, with the ability to see and quantify data. Communication is also key, as it would be required to explain the insights of your data research. Knowing leadership skills would also be a major contribution to the delivery and execution of rules with the LGDP laws.
If one wants to become a DPO, then it’s recommended to start pursuing a college degree in cybersecurity, law, or another related field. It’s also recommended to gain relevant work experience in the field to build a resume that fits the duties of a DPO.
The DPO plays a major role in providing compliance services and ensuring that the business's meet regulation standards. It is a major responsibility, but it is necessary in the digital age we live in today to keep consumers safe.
If you are a business that wants to protect its client's personal data, Captain Compliance is here to help. We will guarantee that you have the most qualified DPO that abides by the data protection laws to develop a compliance service plan to meet all business needs.
If you are someone who is interested in ensuring LGPD compliance in your business, then get in touch today!
Can an organization have multiple DPOs or appoint a DPO for different business units?
Businesses are only allowed to have one DPO. However, the business could also hire additional data professionals to help coexist with the DPO to streamline data processes and operate on a legal basis under the LGPD.
Is there a minimum or maximum term for the appointment of a DPO?
There is no minimum or maximum term for a DPO. A DPO can stay working for the business for as long as they wish to continue to work there. A business won't have any reason to terminate a DPO as long as the DPO continues to address the data subject’s needs.
How often should the DPO report to senior management or the board of directors?
The frequency of how often a DPO should report to senior management varies depending on the size and needs of the business, although at least once per quarter is a good amount.
What are the consequences of non-compliance with data protection laws?
If a business fails to improve or be compliant with the LGPD, then the DPOs will be held responsible if they do not perform their professional obligations. The DPO must act in the best interest of the people.