Since 2018, with the promulgation of the LGPDDesignating a DPO, or data protection officer (in Portugal, an officer responsible for data protection), is mandatory for public and private organizations, as well as self-employed professionals, in their capacity as data controllers, i.e., those who use personal data in their business or activity, acting as data processing agents. Indeed, it is inconceivable that any public institution, private company, self-employed professional (such as lawyers, doctors, dentists, architects, psychologists, accountants, etc.), or even non-profit organization (such as churches or philanthropic entities), could operate without the use of personal data, even in B2B transactions.

Collecting, storing, and sharing names, CPF numbers (Brazilian tax identification numbers), and addresses, whether of clients, employees, or suppliers, is part of any business. Even if the processing occurs due to compliance with a legal obligation, this information will never belong to the institution, company, or professional, but rather will remain linked to the identity of the data subjects.

The essential nature and dependence on third-party personal data for the operation of a business or activity has led legislation to mandate the appointment of a Data Protection Officer (DPO) as the individual or legal entity to act as a communication channel between the data controller and the data subjects, as well as institutions such as the National Data Protection Authority (ANPD). These functions should only be performed by professionals who effectively master the legislation and the full range of multidisciplinary tasks in management, information security, relationships, and other areas; the mere formal appointment of someone, a "Fake DPO," is insufficient.

The appointment of a fake Data Protection Officer (Fake DPO) is an extremely risky practice and can result in severe administrative and civil penalties for organizations, and above all, damage to the company's reputation. Among the administrative sanctions that can be applied by the ANPD (National Data Protection Authority) are warnings, fines, and even the blocking of personal databases, directly impacting operations. These penalties stem both from non-compliance with the law and from exposing data subjects to unacceptable risks; it is not even necessary for data breaches or other incidents to occur for penalties to be applied by the Authority and even by PROCON (Brazilian Consumer Protection Agency).

A fake DPO (Data Protection Officer) lacks the necessary qualifications to ensure compliance with the LGPD (Brazilian General Data Protection Law), or even if they do, they lack the autonomy to guide the controller and protect the rights of data subjects, resulting in data protection failures and an increased risk of leaks and breaches. This happens in cases where the doctor, lawyer, engineer, or even IT or information security professional is appointed merely to "check a box."

The use of a Fake DPO also violates ANPD guidelines because, in addition to technical disqualification and lack of autonomy, it will be a clear case of conflict of interest when the professional is forced to "sit in two chairs." The configuration of a Fake DPO due to conflict of interest is addressed in Resolution CD/ANPD No. 18 of July 2024, and in the guidance document "Performance of the Data Protection Officer," also from ANPD, dated December 2024. It is also evident that the appointment of an unsuitable professional prevents the implementation of effective governance and personal data management practices, hindering compliance with the LGPD (Brazilian General Data Protection Law).

In the international arena, particularly within the framework of the GDPR (legislation that inspired the LGPD), there are precedents that highlight the risks of improperly appointing a DPO, as occurred in Belgium, where the Data Protection Authority fined a company €50.000 (fifty thousand euros) for appointing the head of compliance, audit, and risk management as DPO. This accumulation of functions violated Article 38 of the GDPR, which requires independence and the absence of conflicts of interest in the DPO's actions. Another example is the fine of €75.000 (seventy-five thousand euros) imposed on a company that appointed an employee who also held responsibilities in risk management and investigation as DPO.

It is also essential that the DPO has direct access to senior management and participates in strategic decisions involving personal data, so that the organization demonstrates that it operates under the privacy by design model, that is, from the conception of products and services, it is attentive to the correct handling of personal data.

In Brazil, as evidenced by its intense regulatory activity, the ANPD (National Data Protection Authority) is extremely attentive to the correct appointment of an autonomous, technically qualified Data Protection Officer (DPO) free from conflicts of interest. This is evident both in the guidance activities already mentioned in the Resolution and the Guidance Guide, and in the existing sanctioning processes even for public administration, as well as in the news reported at the end of 2024 regarding the audit of 20 companies "for lack of a Data Protection Officer and an adequate communication channel," precisely because these actions imply a failure in transparency and the provision of information about data processing. The audited companies, from diverse sectors such as finance, technology, education, and health, among others, have already been notified and given deadlines to correct the non-conformities, under penalty of additional administrative sanctions, including fines.

But how do we do it?

The LGPD (Brazilian General Data Protection Law) and the ANPD (National Data Protection Authority) guidelines clearly state that companies, organizations, or self-employed professionals can choose between internal referrals and hiring outsourced professionals, who can also be legal entities, with all the efficiency gains and cost reductions that outsourcing to a specialized company provides.

Each modality presents advantages and disadvantages, suited especially to the size and volume of personal data processed.

For most companies and self-employed professionals, hiring an outsourced DPO seems like the best solution, which is already the case, for example, with accounting professionals who work for dozens or hundreds of companies, maintaining high levels of integrity, reliability, and efficiency.

An outsourced DPO will have in-depth knowledge of data protection laws, risk management, and governance, with the ability to provide guidance on information security as well. They will not hold positions that could create conflicts of interest, focusing on protecting personal data and ensuring the rights of data subjects are respected without interference, ultimately protecting the company itself. After all, when data subjects perceive their rights as respected and fulfilled, trust in the company and the professional increases, at a much lower cost than hiring a dedicated professional.

Recognized market professionals with experience and technical expertise already have their own structural support, including technological tools and specialized teams, so that the data protection officer can perform their duties efficiently. Furthermore, these professionals maintain continuous training and are able to provide regular training and updates to company teams on legislation, ensuring that employees, suppliers, and managers adopt the measures recommended by the DPO. It is worth remembering that all employees and suppliers must also be trained to handle the personal data of clients and employees, with the DPO leading this process.

Therefore, appointing a qualified and independent DPO is mandatory for organizational compliance and the promotion of a data protection culture. Inappropriate practices, such as the appointment of fake DPOs, compromise the company's reputation, the security of data processing, and expose the organization to severe sanctions, in addition to market share loss, as these companies will have a lower level of trust.

International cases, such as the GDPR in Belgium, and national cases, such as the recent audit by the ANPD in Brazil, highlight the seriousness of the issue and the need for strict adherence to legal requirements. Therefore, companies must treat the selection of a DPO with the necessary seriousness, ensuring that the appointed professional has the autonomy and skills necessary to perform their duties with integrity and effectiveness.

Did you enjoy the text? Take the opportunity to check out the participation of the guest author, Newton Moraes, in the second episode of the Privacy Leaders podcast by clicking [here]. here.