The position of ‘Data Protection Officer’ – established initially under the terms of the EU’s General Data Protection Regulation (GDPR) – has been imported into Brazil’s equivalent General Data Protection Law (LGDP) with the slightly peculiar title of “Encarregado.”
The European Union’s GDPR data protection legislation came into force on March 25, 2018, while Brazil’s LGDP was published on August 13, 2018, but only came into force on September 18, 2020.
Europe’s Data Protection Supervisor, the European Union’s independent data protection authority, establishes the responsibilities of the Data Protection Officer (DPO). Perhaps the key proviso for the position is to ensure that their organization processes the personal data of its staff, customers, suppliers, or any other individuals (or data subjects), under the applicable data protection rules.
The DPO must fulfill their functions independently and not receive instructions on how to perform their duties from any other person or entity.
There should be no conflict of interest between an individual’s duties as a DPO and any other responsibilities they may have that might compromise their obligations as DPO.
The data protection authority makes the following recommendations to minimize situations of conflicting interests. The DPO should:
- not also control data handling activities (for example, serve as the human resources manager);
- not be an employee on a short-term contract;
- not report to a direct superior who is not a senior manager; and
- have the ability to manage their own budget.
Let’s examine the main tasks of the DPO: