The Centre for Information Policy Leadership (CIPL) have recommended that the National Data Protection Authority (ANPD) should propose a set of criteria for Data Protection Officer (DPO) roles and responsibilities. The recommendations are to provide clarifications with regards to responsibilities and appointing processes. They are encouraged to highlight when an organization may be exempt from appointing a DPO. Also, what a DPO is personally responsible for in terms of their companies behaviour regarding LGPD. Calls are also made for the opportunity to create data protection offices where a company may hire an external DPO.
Appointing a DPO
The LGPD defines the DPO as the person appointed by an organization that acts as a communication channel between the company and it’s data subjects and the ANPD. It requires organizations to appoint a DPO and provide their details in a public space, preferably on their website. An organization does have the option of hiring someone from outside of Brazil to be their DPO. As long at the individual is able to fulfil their responsibilities then there are no geographical restrictions.
The document recommends that the ANPD take a flexible approach when it comes to the rules regarding DPOs. It’s advised the ANPD need to reinforce the key differences between a DPO within the LGPD compared to the GDPR. Within the GDPR, a DPO can only provide that service to one data controller. However, under LGPD legislation a DPO is not restricted to just one organization.
CIPL have asked that ANPD provide examples of what the minimum requirements are when appointing a DPO. It is suggested that an organization should have flexibility on defining how their DPO interacts with the public and ANPD. Provided the organization’s framework meets the law, this allows for a better understanding of the DPOs roles within the company.
CIPL would like ANPD to set up a dedicated department for communicating with DPOs across the country. They have also called for the opportunity for exemption from hiring a DPO for certain organizations if:
- The data processing activities are low risk
- They process low volumes of personal data
It seems there is also a need for ANPD to clarify the responsibilities of the DPO within the company. They are urged to remind individuals that they are not responsible for their company’s misconduct or non-compliance with LGPD. Alongside this ANPD is asked to allow organizations to create data protection offices. This would allow company’s to hire external DPOs instead of creating an internal position. Advantages of being able to do this include potentially lowering the cost of appointing a DPO. It was also allow company’s to hire someone with specialised knowledge of the regulations.
How we can help you
LGPD is still a very new and it can be difficult to know what exactly your company should be doing. Value Privacy are here to provide expert recommendations. Support you in making your company LGPD compliant. Navigate the process of finding the right DPO for you. Contact us today to discuss how we can help you.