General 3min de Leitura - 18 de September de 2020

DPO: Find out who will be the future responsible for data protection in your company

This post is also available in: Português English Español

With less than a year to go into effect, the General Data Protection Law (LGPD) will create new demands that certain companies need to adapt to. One of them is the presence of a DPO, acronym in English for Data Protection Officer, that is, the professional responsible for data protection. At LGPD, this position was called Data Protection Officer (EPD). English terminology, however, ended up becoming better known.

In August 2018, then President Michel Temer sanctioned the LGPD, ordering it to enter into force in August 2020. In this way, all companies that include personal customer information in their database – such as full name, e- mail and CPF – will need to respect the law. Click here to visit the content prepared by OSTEC with all the details of LGPD.

The countdown has started. An important part of the adequacy is to have a DPO in the company. But what exactly does it do? In reality, it aggregates legal and technological knowledge in order to ensure that companies use the information correctly. Thus, he plans and analyzes procedures and internal rules so that products that lawfully collect data are developed. In this sense, it is important to emphasize that the DPO does not need to be a bachelor of law, since specialists in information technology can seek a course in the area and, thus, be fit for the position.

Becoming a DPO

Some companies already have a DPO in their staff. Most of them are companies that maintain more direct connections with European countries, where legislation similar to the LGPD is already in force. It is called GDPR (General Data Protection Regulation), which in reality inspired Brazilian law. Currently, it is common for national companies that provide services and use information about European citizens to be required to have this professional present. The reason is that European companies can be held responsible for any data leaks in the contractor.
Several certification institutes have started offering qualification programs focused on training in DPO. Most of them have courses that certify professionals to work even outside of Brazil. In general, the following training courses are offered:

PDPE: Privacy & Data Protection Essentials

This is the first most direct contact with the LGPD, and teaches about the essential concepts of privacy and protection of personal data. The purpose of this training is to present all legislation, observing practical examples and topics such as understanding the role of the National Data Protection Authority (ANPD) and describing what a Data Protection Impact report (RIPD) is, among others.

PDPF: Privacy & Data Protection Foundation

Here, stakeholders will delve into the fundamental understandings of the law. In this way, a more critical and in-depth analysis of privacy and protection of personal data is reached, allowing an analytical comparison between LGPD and GDPR to be carried out in an analytical manner.

PDPP: Privacy & Data Protection Pratictioner

The name itself gives a good idea of what the course will bring: it focuses on the practical part of the law, learning about documents, reports and contracts required by the law. The training also includes interpretations of case studies, as well as analysis of scenarios for the implementation of a privacy and data protection program in companies.

What is the role of DPO in the company?

As the person responsible for disseminating the data protection culture in the company, the DPO will have to create rules and procedures that are appropriate to the law. Whoever occupies the position will also be responsible for responding to ANPD notifications and requests from information holders, respecting the guidelines provided by law.

Among other demands, the DPO will need to act on raising awareness and informing everyone dealing with personal data, conducting assessments on exposure to the risks of privacy violations, with continuous improvement actions. It should also keep records of data processing activities up to date, being the point of contact with the control authorities.

Because of these tasks, the employee will be a protagonist in strategic decisions of companies, with autonomy over the activities that involve data processing – in order to make decisions that may make the company adequate to the law. Thus, the ideal is that companies seek the DPO months before the LGPD comes into force, as it will be fundamental in the implementation itself. The tip applies to both large and small companies. Smaller ones are even more at risk if they are left without the DPO, since eventual lawsuits due to leaks can seriously affect business finances.


Want to avoid problems like that? Get in touch with OSTEC experts and find out how digital security can expand your business results.

This post is also available in: Português English Español