In the first three parts of this series on the operational impacts of Brazil’s General Data Protection Law, we examined the law’s different substantive rights, security and governance requirements, and international data transfer issues. In this fourth installment, we consider the human resource impact of the LGPD by exploring the data protection officer requirement.

LGPD’s DPO requirement                                                                                                                                       

In broad terms, Articles 37 through 40 of the LGPD set forth various obligations that arise when processing personal data. These include ensuring adequate record-keeping, data impact assessment preparation and proper processing practices. To ensure these obligations are met, the LGPD mandates every controller, including both public and private entities, that processes personal data is required to appoint a DPO.

This DPO shall be explicitly responsible for accepting complaints and communications from data subjects, providing explanations and adopting measures; receiving communications from the national authority and adopting measures; orienting entity’s employees and contractors regarding practices to be taken in relation to personal data protection; and carrying out other duties as determined by the controller or set forth in complementary rules promulgated by the Brazilian data protection authority, the Autoridade Nacional de Proteção de Dados.

While these duties of the DPO will no doubt be of interest to organizations, perhaps the more important inquiries in the early stages of compliance are who needs a DPO and who can serve as a DPO.

DPO applicability

Regarding the question of who needs a DPO, the LGPD merely states “the controller shall appoint a (DPO) to be in charge of processing personal data.” Despite the apparent simplicity of this sentence, it has huge operational effects. The first is that unlike the EU General Data Protection Regulation, the LGPD’s DPO requirement only applies to controllers and excludes processors. A controller is defined as a “natural person or legal entity, of public or private law, that has competence to make the decisions regarding the processing of personal data.” A processor is defined as a “natural person or legal entity, of public or private law, that processes personal data in the name of the controller.” Thus, unlike the GDPR, only the controller (collector) of the personal data is required to appoint a DPO. Those companies that process data on behalf of others seem to be exempt.

Additionally, there is nothing within the text of the LGPD that limits the applicability to companies that meet certain size or processing thresholds. As a result, any entity that can be classified as a controller is required to have a DPO irrespective of whether the entity is a sole proprietorship collecting minimal data or a multinational corporation collecting the personal data of millions of individuals. However, once operational, the ANPD will have the authority to establish additional rules refining this requirement.

DPO responsibilities and qualifications

Those required to appoint a DPO must disclose the officer’s identity and contact information and take responsibility for the duties listed above. Though these requirements are certainly like their European counterparts, one aspect of the GDPR requirement that is noticeably absent from the LGPD is the mandate that the DPO holds particular credentials. Although the LGPD had a requirement at one point that the DPO has legal and regulatory knowledge, that requirement was ultimately vetoed by Brazilian President Jair Bolsonaro.

As a result, the LGPD is currently silent on the qualifications necessary to serve as a DPO. Despite this silence, some familiarity with the Brazilian regulatory landscape, as well as data protection practices, will likely be necessary to fulfill the DPO duties set forth under Article 41. That said, because Executive Order No. 869/18 changed the definition such that a DPO is no longer required to be a natural person, the skill set required for the position need not be held by only one individual. Alternatively, controllers may take advantage of multiple individuals’ skill sets and fill the position using committees or working groups. Furthermore, for those companies that would prefer not to appoint a DPO, rather than comply with these measures internally, Brazilian Executive Order No. 869/18 clarified that Brazilian controllers may instead choose to outsource their DPO duties to external firms.

DPO liability

One of the final big questions left open by the LGPD with respect to DPOs revolves around the question of liability. The drafters of the GDPR took particular care to ensure that a DPO is independent of the controller and processor and therefore cannot receive sanctions nor be held personally liable for noncompliance. The LGPD, however, contains no such provision. However, given that Article 41 gives the ANPD what is essentially carte blanche authority to make rules and provide guidance modifying the definition and duties of the DPO, it is not out of the question that guidance may be issued in the future to clarify the extent of DPO liability.

Final thoughts

Reflecting upon the LGPD’s DPO requirement, the common theme is that almost everything regarding the DPO is subject to significant change by the ANPD. There is a very real possibility that the ANPD will issue rules soon after it becomes operational that render the majority of this article outdated.

The impact of these changes won’t necessarily be small either. For instance, a recent IAPP study indicated the total number of DPO positions necessary in the Brazilian economy to comply with the LGPD ranges from 12,000 to 4.5 million. While the IAPP ultimately estimates that at least 50,000 DPOs will be necessary for response to the LGPD, this number is entirely subject to change based on the ANPD’s decisions.

Ultimately, this is all to say that given the likelihood of changing rules, organizations of all sizes must remain on their toes and pay attention as the ANPD becomes operational. Failure to do so risks being the subject of sanctions and enforcement, which will be discussed in the fifth and final article in this series.

Photo by sergio souza on Unsplash