The General Data Protection Law arrived in the country in 2018 through Law No. 13.709, but it was only in 2020 that its enforcement was decreed, resulting in numerous modifications. In discussing the best way for organizations to comply with these regulations, the National Data Protection Agency, along with other entities, began creating legal instruments.
The most recent development is the institution of the DPO, "Data Protection Officer," responsible for the information security of a company's systems.
The European Union's General Data Protection Regulation (GDPR) establishes in its Article 37 the obligations of the data protection officer within the administrative framework. In Brazil, these considerations were added to item II of Article 5 of the LGPD (Brazilian General Data Protection Law), clarifying the role of these professionals.
The general definition is that the person aims to control the flow of information, all resources involving the external and internal sharing of any content, and the knowledge of the sectors regarding this.
So, what exactly do companies need to do to appoint a DPO?
Considering that this role involves leadership capable of applying legal principles, training employees, and overseeing policy compliance, the employee must be qualified and have a thorough understanding of the departments. The change only mandates that large and medium-sized businesses specifically designate a data protection officer. The ANPD (National Data Protection Authority) has been working to raise awareness among all entrepreneurs regarding this regulation.
Another key word that helps to better understand the importance of this criterion is the need to integrate all areas of administration to guarantee the privacy of employees and clients. This is because failure to comply with any regulation can result in fines, that is, financial and moral damages.
The importance of focusing on formalization becomes even more evident when considering the actions of international agencies, such as the UN and the ILO, to guarantee quality standards in production processes.
Given this scenario, the Ministry of Labor decided to take a stand, specifying the activities included in the DPO's job description. Beyond formalization, companies gain a reference point to facilitate job descriptions, improving management. Meanwhile, the government can observe who complies with all the requirements of the General Data Protection Law, thus preserving the security of citizens.
The responsibilities of a Data Protection Officer are outlined in the following legal provision:
Article 41, §2, of the LGPD
I - oil claims and communications from two holders, provide clarification and adorn provisions;
II - receive communications from the national authority and adorn provinces;
III - to guide the employees and the contracted entities to respect the practices to be taken in relation to the protection of personal data; and
IV - execute the other attributions determined by the controller or established in complementary norms.
