LGPD: what does the data protection officer do?

The Personal Data Protection Officer (DPO) works to protect data in the organization, ensuring the safety of employees and the institution itself.

The General Data Protection Law is the main legislation on information security in the digital environment in Brazil. Over the past two years, companies across the country have had to adjust their data processing processes to keep up with the standards required by law. From this scenario, a professional figure has become more relevant in companies: the Personal Data Protection Officer (DPO, acronym in English for Data Protection Officer).

• International data protection day: new year and old threats
• 80% of companies in Brazil have not yet adapted to the LGPD

According to Antonielle Freitas, DPO of Viseu Advogados, art. 41 of the LGPD provides for the obligation for the data controller to appoint a person to the position. For the specialist, having a personal data protection officer in the team means total dedication to data protection in the organization, ensuring the safety of employees and the institution itself.

“It will use its best efforts and professional expertise to ensure that the processing of personal data complies with global data privacy regulations, setting the standard and protecting user information through ethical practices and standards,” says Freitas.

What does the DPO do?

The DPO is responsible for various activities, not only limited to the technological and legal sector. As the specialist explains, in addition to ensuring compliance with the applicable local legislation, it acts as a communication channel between the owner, the interested parties and the National Authority for the protection of personal data (ANPD).

Antonielle also recalls that § 2 of the same article lists the activities of the DPO as follows:

• Accept complaints and communications from the owners, provide clarifications and take measures;
• Receive communications from the national authority and adopt measures and guide the employees and collaborators of the institution regarding the practices to be adopted regarding the protection of personal data;
• Perform other attributions determined by the data controller or established in complementary rules.

Therefore, this professional must simultaneously deal with the security of information involving employees and the various suppliers of a company, as well as have management skills and knowledge of governance.

Difference between controller and operator?

It is worth remembering that the difference between data controller and data operator lies in decision making power. The owner is responsible for the information, while the operator is the one who, on the basis of the orders given by the owner, acts on the data.

Data leak

In the event of a data leak, the DPO takes action from identifying the incident to neutralizing the threat, explains Antonielle. When detecting the leak, the professional must:

1. Carry out a detailed initial assessment of the incident;
2. Involve experts from interested sectors to collaborate at any time they deem it appropriate and feasible;
3. If it is concluded that the incident has resulted in a risk or significant damage to the personal data holders, the DPO, possibly assisted by the Communication Office, must make the communications required by law. Such communications may include: (i) thanks to the notifier, (ii) information to interested parties, (iii) press releases, as well as (iv) formal reports to the ANPD and other competent authorities;
4. With the incident contained and related resolution forwarded, the DPO shall schedule and conduct a lessons learned meeting, with guests at its discretion, in order to discuss errors and difficulties encountered, propose improvements to systems and processes, including this Incident Response Plan;
5. Document the incident in an appropriate knowledge base, detailing information obtained, timing, actors involved, evidence, conclusions, decisions, clearances and actions taken, including those of the lessons learned meeting;
6. After neutralizing the threat, the responsible person (RPD) must draw up a detailed report of all the measures taken, presenting all relevant information, such as information about the incident itself (when it was identified, what is its nature, damage or potential damage caused, entity, relevance and repercussion of such damage, etc.).

Market forecasts for DPOs

The data market is growing, due to the high demand for data professionals. According to the specialist, the figure of the DPO has gained attention since 2018, with the publication of the LGPD, and has increased over time. A 2021 PageGroup survey points out that these professionals receive up to R$ 20,000 a month, which is well above the national level.

“With the publication of the Regulation on sanctioning dosimetry in this first quarter of 2023, perhaps the effective application of financial sanctions will further highlight the need for this professional figure in organisations. From then on, it is likely that, with the construction of a national culture in privacy and data protection increase the offers of opportunities on the territory even more”, concludes Antonielle.

Source: LGPD Brazil

Trending on Canaltech:

• 5 reasons NOT to buy the 2023 Hyundai HB20S
• How long can we wear pajamas, jeans and other clothes before washing?
• Do people stop logging in and posting on Facebook?
• 8 big news in One UI 5.1
• Dashlane Password Manager and Digital Wallets Open source mobile apps
• Coffee no longer gives you energy, but lends it to you – and the price is paid with tiredness

Source: Terra

Rose

Rose James is a Gossipify movie and series reviewer known for her in-depth analysis and unique perspective on the latest releases. With a background in film studies, she provides engaging and informative reviews, and keeps readers up to date with industry trends and emerging talents.