LGPD DPO Requirements: Guide to the Brazilian Data Protection Law
The Lei Geral de Proteção de Dados (LGPD) is a privacy law passed in Brazil in 2020 to enhance the rights of Brazilians. It's the first-ever law made to protect users' data privacy in Brazil and is overlooked by the ANDP.
This article will cover LGPD DPO requirements, the important role of data protection officers, and the specific duties of a DPO.
Let's dive in.
- A data protection officer (DPO) is generally required for businesses, especially for major businesses with a high data security risk.
- A DPO must carry out a wide variety of data management-related tasks. Their goal is to ensure that the business follows the guidelines of the LGPD.
- Becoming a DPO is not easy. It requires a well-skilled person in many different technical and management scenarios.
An Overview of LGPD
The Lei Geral de Proteção de Dados, or General Personal Data Protection Law, was made to combine and unify 40 prior laws with the purpose of regulating the data processing activity.
The LGPD is a response to combat businesses that take users’ data without consent and use it in a way that could potentially harm the user.
These laws contain articles on how data processing regarding people’s personal data is handled among businesses. It was implemented to protect Brazilian citizens by allowing them to control their data and for businesses to be more compliant while doing so.
The law ensures that whenever a data controller (business) handles personal data, the data subject (individual) has to consent. Additionally, consumers can now access their data and request to have it changed or deleted at any given time. Businesses must now also report data breaches and data being shared.
The rules and regulations of LGDP are very similar to the General Data Protection Regulation in Europe (GDPR). There are some differences in key principles between the two regarding how data protection laws are ruled and justifications for personal data processing and data privacy.
The LGPD offers fundamental rights to all its Brazilian citizens and visitors. This scope includes any person, public, or private legal entity that processes the data of Brazilians. It's important to know that this data law will protect everyone in Brazil.
All businesses within the jurisdiction of Brazil must comply with the General Data Protection Law. So, businesses that deal with Brazilians must select and appoint a data protection officer on the legal basis that it will be trusted to monitor how a business handles personal data and data processing.
It’s also worth noting that the LGPD data protection law exempts those who are data processing for personal purposes, such as journalistic, artistic, academic, or national security.
What is a Data Protection Officer?
A data protection officer is a person whose primary role is to monitor how a business processes data. Their goal is to protect the personal data of the stat subject’s customers and employees.
Data protection officers provide compliance services for businesses to help implement the General Data Protection Law guidelines and ensure data subjects' rights to manage their personal data. They would also be in charge of handling and addressing data subject complaints.
They work closely with data controllers (businesses) and monitor their personal data processing and performance.
DPOs document these processes and use documentation to develop ways to help streamline processes that are in compliance with consumers.
Data protection offers must avoid conflicts of interest when making decisions about data processing. A decision must not be made for personal gains; otherwise, they would be held accountable by the national data processing authority and may face criminal charges.
A successful DPO will ensure a business operates data protection under the mandates of the LGPD. Businesses should work closely with a DPO to follow the legal basis that could otherwise lead to breaking laws that would result in major lawsuits.
Is a Data Protection Officer Required Under LGPD?
David Manek, a Global Privacy Lead and Senior Managing Director at Ankura, says:
"Article 41 of the LGPD requires organizations that process personal data to appoint a Data Protection Officer (DPO). There are some exceptions to the LGPD’s DPO requirement for very small companies, start-ups, and not-for-profits."
Businesses that process a lot of data must have an official DPO appointed under the data protection law. A major business that processes data at a large scale or processes sensitive personal data must have a DPO appointed.
If a business fails to have anyone anointed, it may have to deal with legal consequences, especially if the data were breached.
A DPO can be either an employee of the business or an external contractor like Captain Compliance. They can also be in the form of a sole individual or an organization specializing in compliance, like Captain Compliance.
- Does your business need a DPO, but you're unsure where to look? Captain Compliance is here to help. Connect with us today to ensure you are compliant with the LGPD.
LGPD DPO Requirements
Becoming a DPO requires one who is an expert on current data protection laws. They must understand how data processing operates within a business and understand the fundamental rights of each person.
"Similar to the requirements under the EU’s General Data Protection Regulation (GDPR), the role of a DPO is to adjudicate privacy rights requests from individuals, raise awareness and provide training on data protection topics, and interact with authorities when needed."
This means a DPO must also demonstrate a wide variety of skills. These include technical and communication skills that are required to follow the data privacy law. Below are some requirements that all DPOs should have:
Stay Up to Date with Data Privacy Laws
Knowing the current laws is a requirement for data protection officers so that they can mandate how a business runs its data processing on a legal basis.
This is essential because compliance laws are always changing, and staying ahead of the curve will help you stay compliant.
Operational Risk Management
A DPO’s responsibility is to help a business avoid risks that could cause a breach of data privacy, especially when sensitive data is involved.
Knowledge of information security and how to do a data protection impact assessment is required. This should be indicated by prior experience or a certain educational standard.
IT and Computer Science Skills
A Data Protection Officer must possess a significant understanding of IT and computer science due to the nature of their job.
They need to understand how data is gathered, stored, and utilized within a system, as well as what implications each of those processes may have. Being able to interpret data, algorithms, and coding will be a key part of their role due to its link with validating lawful information-gathering techniques from customers.
They should also possess system administration skills and the understanding that comes along with it, such as familiarity with how networks interact.
Data Analytics Knowledge
Interpreting the different trends and changes in data flow is mandatory for a DPO. They must be able to spot unusual activity.
DPOs need to have effective communication skills. They will be required to break down concepts and data information into simpler terms during meetings. They will also be communicating on a mass scale to both public and private entities.
Ability to Perform Duties Independently
All DPOs must not be involved directly in tasks influencing how personal data is processed within a business. They are required to give feedback and analyze the situations to encourage a business to change its ways if there is a risk of a personal data breach.
Clear Communication With The National Data Protection Authority (ANDP)
All DPOs are required to report to the ANDP when they believe that there has been a violation of data protection law.
- Want a DPO that does all this and more? Captain Compliance is your solution. Get in touch for a free consultation today.
LGPD DPO Duties
LGPD DPOs will have many duties within their business. Their role is to ensure that the business follows strict guidelines that comply with the LGPD data protection laws. Outside of protecting the business, they must also consider the safety and rights of the individual’s data privacy that the business contains.
Every task a DPO does is very important to the safety of the consumer’s personal data. A DPO has many duties, all of which are important to data safety and privacy. Below are all the specifics of a DPO duty in detail:
Ensuring Data Protection Compliance
The DPO is responsible for ensuring the business complies with all aspects of the General Data Protection Law. DPOs must be observant of the business policies and ensure that procedures are in place to meet the LGPD requirements by developing new compliance solutions.
Data protection impact assessments are another duty that the DPO is responsible for conducting. They are in charge of doing thorough research, intensifying high-risk data processing activities, and implementing procedures to help mitigate the risk of sensitive data breaches.
Part of the responsibility of the DPO is to bring awareness of the LGPD data protection law. They assist in training employees and help implement data protection policies and compliance procedures, ensuring that they reach consent with the consumers.
Part of the analytics side of being a DPO is documenting everything that can observed. The DPO is required to document all personal data processing activity and other types of data-related tasks to ensure that they align with the LGPD requirements.
DPOs use records of processing activities (RoPA) to document activities in a business.
Offer Management Advice
The DPO will often be approached to be given advice by higher-up management. A successful DPO will do research and be prepared to report to the higher-ups and explain what they should do to improve compliance plans within the boundaries of the Brazilian data laws.
Report Data Privacy Breaches
Whenever a breach of data privacy occurs, the DPO must report it to the national data protection authority. It needs to be reported whether the business gives consent or not. Not reporting any indicents is considered a felony under the LDPD data probation laws.
Who Can Be a Data Protection Officer?
Becoming a DPO is not a job title that anyone can have. It requires an individual who is versatile in many skill sets and must meet many qualifications, which often takes many years of education and work-related experience to achieve.
Most organizations prefer that the individual has a master's degree. The fields of study must pertain to technical fields, such as cyber security or risk management. In addition, organizations also strongly prefer that the person has at least five years of a positive track record in work experience.
The most successful DPOs are individuals who exhibit characteristics of curiosity. They must be curious and innovative by nature, as most of the work involves thinking about the outside of the box to address solutions.
They also need to be analytic, with the ability to see and quantify data. Communication is also key, as it would be required to explain the insights of your data research. Knowing leadership skills would also be a major contribution to the delivery and execution of rules with the LGDP laws.
If one wants to become a DPO, then it’s recommended to start pursuing a college degree in cybersecurity, law, or another related field. It’s also recommended to gain relevant work experience in the field to build a resume that fits the duties of a DPO.
How Can Captain Compliance Help?
If you want to protect your customer's personal data, Captain Compliance is here to help. We are top-of-the-line compliance experts who can serve as your DPO to abide by the data protection laws to develop a compliance service plan to meet all business needs.
Can an organization have multiple DPOs or appoint a DPO for different business units?
Businesses are only allowed to have one DPO. However, the business could also hire additional data professionals to help coexist with the DPO to streamline data processes and operate on a legal basis under the LGPD.
Is there a minimum or maximum term for the appointment of a DPO?
There is no minimum or maximum term for a DPO. A DPO can stay working for the business for as long as they wish to continue to work there. A business won't have any reason to terminate a DPO as long as the DPO continues to address the data subject’s needs.
How often should the DPO report to senior management or the board of directors?
The frequency of how often a DPO should report to senior management varies depending on the size and needs of the business, although at least once per quarter is a good amount.
What are the consequences of non-compliance with data protection laws?
If a business fails to improve or be compliant with the LGPD, then the DPOs will be held responsible if they do not perform their professional obligations. The DPO must act in the best interest of the people.