The LGPD has established that the controller and operator must appoint a Data Protection Officer, who will act as a communication link between the controller, the data subjects (individuals) and the National Data Protection Authority (“ANPD”). Although this provision still depends on the ANPD’s regulation, the LGPD has been effective since September 18, 2020 and companies should address this matter as soon as possible.
According to the LGPD, the activities of the DPO consist of:
- receiving complaints and communications from the data subjects, provide clarifications and adopt measures;
- communications with the national ANDP and adopting relevant measures;
- providing guidance to the entity’s employees and contractors on the practices that should be adopted in regard to the protection of personal data; and
- perform other duties assigned by the controller or complementary rules.
Several questions arise from this legal requirement and how it will be implemented. Should the DPO be someone from within the organization or outside? Is it better to form a committee? What are the best international practices? And are there any conflicts of interest?
Our Data Privacy and Cybersecurity team has helped its clients to answer these questions, conducting training, organizing the structure and activities of the data privacy and protection committee, helping to select the DPO and jointly defining the best suitable measures for your business compliance.
We are available to guide your company in this new scenario. Contact us to ensure full compliance with LGPD and DPO requirements.