The Brazilian General Data Protection Act (LGPD) entered into force in September 2020, introducing the role of Data Protection Officer (DPO). In the Act, the role is described as the person appointed by the controller and processor to act as a communication channel between the controller, the data subjects and the National Data Protection Authority (ANPD).
After extensive discussions and changes during drafting and approval of the Act, it resolved that employees, legal entities or even a third party, be it an individual or legal entity, compensated or not, to be appointed as the data protection officer.
Though the fact remains that the overwhelming majority of the Brazilian population, if asked to define who the DPO might be, will point to the manager or even the employee, as there has been no campaign (as of writing of this article) to raise awareness on the importance of the role performed by the data protection officer.
In the European Union, for example, the data protection officer is better regulated by the European General Data Protection Regulation (GDPR), boasting a much broader scope of action than a mere communication channel, as is the case with the LGDP, notably being more independent. There, the data protection officer will always be requested by agents processing personal data in the following situations:
- If it is a public body or authority (except for courts exercising their judicial duty).
- If their core activities require regular and systematic large-scale monitoring of individuals.
- If their main activities consist in large-scale processing of sensitive personal data or data relating to criminal convictions and offences.
In most countries that have data protection laws, the data protection officer may be outsourced – for example in UAE, Ghana, New Zealand, Nigeria, UK, Thailand, Uruguay etc. – but there are rare exceptions, such as Egypt, where the data protection officer can only be an employee of the related legal entity.
It is equally important to mention the case of the USA, not concerning the California Consumer Privacy Act (CCPA), which does not include a data protection officer, but to the Health Insurance Portability and Accountability Act(HIPAA). Sanctioned in 1996, it introduced the requirement of a professional responsible for processing personal data, referred to as the chief privacy officer (CPO), for companies operating in the US healthcare industry. It might be said that the Americans have had the most complete experience in establishing such a position, even surpassing the requirements set forth in the GDPR, since the CPO is responsible for:
- Creating a strategic and comprehensive privacy program that defines, maintains, develops and implements policies and processes for consistent and effective privacy practices that minimize risks and guarantee personal data confidentiality, be it analogue and/or digital.
- Working with the senior manager of corporate organization, security and compliance to establish governance for the privacy program.
- Carrying out a leading role in privacy compliance.
- Ensuring that privacy forms, policies and procedures are up to date.
- Establishing an ongoing process to track, investigate and report undue access and disclosure of personal data information.
- Perform or supervise assessment/analysis, mitigation and correction of privacy risks for initial and periodic information.
- Monitoring patterns of undue access and/or disclosure of protected health information.
- Acting in a leadership role to ensure the organization maintains appropriate privacy and confidentiality consent, authorization forms, and information notices and materials reflecting current organization and legal practices and requirements.
- Overseeing, developing and delivering initial and continuous privacy training to employees.
- Participating in the development, implementation, and ongoing compliance monitoring of all company trading partners and business associate agreements, to ensure all privacy requirements and responsibilities are addressed.
- Carrying out assessment, documenting and mitigating appropriate breach risks Working alongside Human Resources to ensure consistent enforcement of privacy breach sanctions.
- Managing processes to investigate and act on complaints of privacy and security incidents.
- Encouraging programs for raising awareness and understanding of information privacy in the corporation.
- Keeping up to date with privacy laws.
- Managing all breach reporting processes as required by authorities.
Turning attention to Brazil, according to the agenda for the biennium 21-22 of the National Data Protection Authority (ANPD), through Ordinance 11 of January 27, 2021, there should have been news on the requirement of the data protection officer in the first half of 2021, with the regulation of data protection and privacy for small and medium companies, startups and individuals who process personal data for economic purposes, possibly even with the waiver of the data protection officer's role, in view of the incapacity of most of these organizations in bearing the cost of training an employee, hiring a specialist or outsourcing such assignment. But unfortunately nothing has happened so far.
On the other hand, even within the National Authority's agenda for the 21-22 biennium, there is a provision for the regulation of the data protection officer to happen on the first half of 2022, when it is expected, among others, to define, or at least discuss:
- The enforceability and waiver criteria thereof.
- Assignments expected of the data protection officer.
- Their independence and potential conflicts of interest.
- The regulation of the scope of responsibilities therefor in case of incidents involving personal data, with damage to subjects thereof, treated by the controller or operator they represent.
- The obligation of insurance on the part of the controller or operator, depending on the burden of responsibility assigned to it.
- Paving for the profession regulation, with the requirements for training.