The company can assign the role to a current employee or outsource.
For many companies, the appointment of a Data Protection Officer (DPO) is a mandatory requirement to comply with the General Data Protection Regulation (GDPR). This professional must have a high degree of knowledge not only of the new regulation but also of the company’s field of activity.
Since the law’s entry into force in 2020 and the need to adapt to it at the risk of incurring fines and administrative sanctions, some companies have sought to resolve the DPO issue by assigning the role to a current employee or a senior executive, for example.
However, considering the independence required for a Data Protection Officer to perform his or her role, companies must be careful about potential issues of conflicts of interest with other functions, including those previously performed by the employee.
One of the main duties of the DPO is to be the mediator between the interests of the data controller (on the part of the company), the data subject (employees, business partners, and customers, for example), and the national authority, the National Data Protection Agency (ANPD). In addition, it must provide guidance on the correct procedures to be adopted for the privacy and protection of personal data, as well as verify if they are being complied with.
The DPO must have the autonomy to work, reporting directly to the highest level of the organization. In addition, they must have at their disposal the resources necessary to perform the tasks, such as information to help them make informed decisions in support of the privacy and protection of personal data.
To assign the role to a current employee or outsource?
When assigning the role internally, there is the issue of conflict of interest, which we have already mentioned above, as well as the overlap of duties, since the position will be offered to a current employee. This leads to other issues, such as the time dedicated to privacy and data protection activities and the other activities previously performed by the employee, as well as the GDPR expertise and experience he or she needs to have.
In one of our last articles, we talked about the Normative Instruction SGD/ME 117, which provides for the indication of the Person in Charge of the Processing of Personal Data in bodies and entities of the federal public administration: “[the DPO] must have essential multidisciplinary knowledge to its attribution, preferably, those related to the themes of privacy and protection of personal data, legal analysis, risk management, data governance and access to information in the public sector”.
The other option would be to outsource the function, something that is already recurrent among companies that need to have a DPO. By hiring a service provider with technical teams and experience in the area, you will have access to the best guidance on what to do and how to protect the personal data of employees, partners, and customers. In addition, the cost is almost always lower (after all, when internalizing the function, there are the CLT costs).
Aiming to meet this demand from current and potential future clients, Pryor Global has created a DPO outsourcing department, with teams specialized in personal data protection and GDPR. It is important to count on a reliable partner for something that only tends to grow in relevance, such as the issue of personal data protection.
Count on us in this challenge!
A Pryor Global se preocupa com o uso de seus dados pessoais. Solicitamos apenas os dados necessários para podermos retornar seu contato. Estes dados serão devidamente protegidos. Para mais informações, consulte nossa Privacy Policy".