This acronym – DPO – no longer causes as much surprise in the Brazilian market as it did seven years ago, when the LGPD (Brazilian General Data Protection Law) was published. At the time, it was common to think that this was something for IT companies and European multinationals subject to the GDPR, which had come into effect three months earlier.
Since then, much water has flowed under the bridge of biased understandings, such as the one that argued that only lawyers could perform the activity of data protection officer (DPO). Or, even, that this would be a function only well performed by information security professionals.
Regardless of each organization's understanding, data protection officers began to emerge and occupy their spaces. Timidly, much more slowly than the law and the administrative authority, the ANPD, required, but one or two could already be seen here and there.
Pit stops for alignment
When the ANPD carried out the two Supervisors' Meetings in Brasilia, in 2024 And in 2025, the second survey, with an audience approximately 60% larger than the first, highlighted the target audience's anxiety to find answers to questions such as the use of personal data in business processes with AI tools, the escalation of biometric identification, and the role of the DPO amidst all of this.
In December 2024, the Authority released a list of twenty large companies that were under investigation for failing to appoint a data protection officer and not providing a functional communication channel with the owners. The companies belonged to sectors as diverse as retail, telecommunications, aviation, technology, healthcare, energy, and education.
With the aim of ensuring that the notified companies complied with legal requirements, the Authority's action had an impact on the market, making not only the organizations under inspection, but also others, aware of the importance of establishing this transparent channel of communication with the data subjects.
Progress milestones
The ANPD (National Data Protection Authority) has clearly opened up space for dialogue regarding the responsibilities of this professional, the challenges (which are numerous), and for the exchange of best practices on the data protection officer's journey, whether in the public or private sector.
Several milestones have also been established in these seven years to recognize the role of the data protection officer. For example, there was the definition of code no. 1421-35 of the Brazilian Classification of Occupations (CBO) of the Ministry of Labor, which includes the correspondence with the English acronym DPO – Data Protection Officer.
Another important point was the publication of the Regulation on the role of the data protection officer. In addition to the four responsibilities already defined in the LGPD (including the possibility of others determined by the controller), the Regulation introduced 14 more, totaling 18 responsibilities that legally fall to the DPO in corporations.
Challenges and pathways to compliance
The fact is that the strategic role of the DPO is no longer so debated in companies. This is already evident and legalized, as stipulated in Article 16, item XI, of the Regulation, which determines that it is the responsibility of the data protection officer to provide assistance and guidance to the controller and the operator in "making strategic decisions regarding the processing of personal data".
The Data Protection Officer (DPO) is the link that applies governance to the production and service delivery chain, connecting with stakeholders throughout the personal data lifecycle.
As the CEO of ANPD, Waldemar Gonçalves Ortunho Junior, stated at the last Data Protection Officers' Meeting, they are "the protagonists in the process of ensuring the fundamental right to privacy of every Brazilian citizen." The organization that has recognized this and placed its DPO in the driver's seat is already in pole position.
Want to read more articles by this author? Understand why AI is meant to be used, not feared, by clicking [here]. here.
