The appointment of a Data Protection Officer (DPO) is mandatory, according to Article 41 of the Brazilian General Data Protection Law (LGPD), except for small businesses, as we have already mentioned in another article. In short, the DPO ensures the protection of personal data in accordance with the applicable rules, as well as mediates the interests of both the company, which is the data controller, and the data subject.

The responsibilities of the Data Protection Officer include:

Compliance – The DPO must ensure that the company conducts the processing of personal data in compliance with the General Data Protection Law, in addition, to interpreting the law for the processing agents (the controller and the operator) and all those involved in data processing, advising on the best actions to be taken.

Orientation and training – The DPO is responsible for promoting education and awareness-raising on the correct protection of personal data, offering employee training, suggesting procedures and creating a true data protection culture in the company.

Autonomy – Data Protection Officers must act autonomously in the performance of their duties, without influence from the controller or operator of the personal data. They must not be dismissed or penalized for fulfilling their role, for example, when pointing out the risk of non-compliance with the law in a particular company action. The ethical and practical considerations must come first.

Accountability – The DPO should be available to answer any questions that data subjects may have about the protection of their personal data. While performing his or her duties and to fulfill his or her obligations, the DPO must be provided with all appropriate resources, including access to personal data and processing activities.

Representation before the National Data Protection Authority (ANPD) – The DPO is the one who will receive the communications from the national authority and take the appropriate actions.