If you are familiar with the General Data Protection Law (LGPD), you know the importance of the DPO, also known as the Data Protection Officer. This professional is responsible for responding to requests from data subjects and representing the company before the ANPD (National Data Protection Authority).

The new development, more than a year after the law came into effect, is that small businesses and startups may no longer be required to have a DPO (Data Protection Officer). "Small-sized data processing agents are not required to appoint a data protection officer as required by Article 41 of the LGPD (Brazilian General Data Protection Law)," states the proposed regulation. "Small-sized data processing agents that do not appoint a data protection officer must provide a communication channel with the data subject." 

This new rule is open for public consultation until the end of September, along with other regulations for small businesses.

What can change in practice

Previously, every company, regardless of size, needed to have a Data Protection Officer (DPO) to comply with the LGPD (Brazilian General Data Protection Law). Now, if the proposal is approved, small businesses and startups will not specifically need this position, but the DPO's work will need to be performed by another person or outsourced company.

The main tasks of the DPO are:

• To assist policyholders, provide clarification in case of incidents, and take appropriate action;
• Receive guidance from the ANPD and take appropriate action;
• Inform the team about the actions that need to be taken to comply with the law.

Now, without a dedicated person to handle this aspect exclusively, small businesses can place these tasks within the scope of customer service or legal departments, for example. However, the institution's website must include a direct contact, from whatever department, to address issues related to personal data.

How to assist account holders

It is essential to have a means of contact to assist people who have requests regarding their data. These requests may include:

• Change requests;
• Exclusion requests;
• Requests for anonymization;
• Requests to find out what data is processed and why.

In addition to providing contact information on its website for the person responsible for handling data issues, it is essential to have a tool that facilitates this relationship with data subjects.

The module Request from Privacy Tools Holders It enables companies of all sizes to meet requests and comply with the LGPD (Brazilian General Data Protection Law). The solution is also known as DSAR (Data Subject Access Request).

Therefore, when a personal data subject wishes to access their private information, such as requesting data removal or seeking clarification about its use, for example, this request must be made through a specialized channel with appropriate customer service for this type of interaction.

The platform allows for deadline and request management, provides automated responses, and even audits the history of requests made. By contracting the Data Subject Request and Consent Management modules together, we provide an extra module called the Privacy Portal, creating a centralized channel for data subjects to access all privacy-related information.