4.5 million Brazilian companies (not to mention foreign companies subject to the LGPD) would need to appoint DPOs in response to the law. Clearly, that number is not a realistic estimation. Ninety-nine percent of Brazilian businesses are small organizations often only employing one or two people and are likely not the intended target of this new requirement.
Thus, the applicability of the requirement is unlikely to remain unbounded indefinitely.
Thankfully, clarity on the subject does not require an amendment to the law. Rather, the guidance and limitations are expected to come from the national authority, the Autoridade Nacional de Proteção de Dados, which is authorized under Section 3 of Article 41 to “establish complementary rules about the definition and the duties of the officer, including situations in which the appointment of such person may be waived, according to the nature and the size of the entity or the volume of data processing operations.”
Unfortunately, the ANPD doesn’t yet exist to establish such rules. This is problematic given the law is now IBGE indicate there are roughly 12,100 large companies in Brazil. If the ANPD decided to apply the requirement only to large companies, approximately 12,100 DPO positions would be needed. This is the most conservative calculation option and does not take into account foreign companies subject to the law’s extraterritorial scope.
Alternatively, if the ANPD decided to take the latter approach, we suspect that up to 50% of all Brazilian companies in certain sectors (these include transport, storage and mail; accommodation and food; information and communication; human health and social services; and professional scientific and technical activities) and up to 100% of all companies in others (financial, insurance and related service activities) process data on a large scale and would therefore require a DPO. This calculation recognizes many smaller companies, in addition to large companies, conduct large-scale processing of personal information.
If the ANPD were to institute such a requirement, the number of estimated DPO positions needed gets very large very quickly. In comparison to the 12,100 suggested before, this method of calculation suggests approximately 669,100 DPO positions within Brazil could be required by the LGPD.
Given the size of the Brazilian economy (as measured by gross domestic product) is roughly only 10% of the EU’s economy and that previous IAPP research found about
