Even after so many years since the implementation of the General Data Protection Law (LGPD) in Brazil, many companies continue to fail to comply with the regulation. The LGPD, which came into force in September 2020, was created with the aim of protecting the personal data of Brazilian citizens, establishing clear rules on how companies must collect, store and process this information. However, despite the time that has passed, many companies have made little progress in implementing the regulation.
Recently, the National Data Protection Authority (ANPD) has stepped up its monitoring of companies that do not have a data protection officer (DPO). The lack of a DPO is one of the main violations identified, as this professional is essential to ensure that the company is in compliance with the LGPD. The DPO acts as an intermediary between the company, the data subjects and the ANPD, being responsible for monitoring compliance with data protection policies and guiding the organization on best practices.
And this data may be just the “tip of the iceberg”. In reality, no one knows how many companies have not yet adhered to the standard. There is no single official survey that consolidates the exact numbers of all companies that are not adhering to the LGPD. Independent research indicates that, in general terms, the percentage can vary between 60% and 70% of Brazilian companies, especially among small and medium-sized companies. In the case of large companies, the number is even higher, reaching 80%.
Why the lack of a DPO makes a difference
By 2024, Brazil will surely have surpassed the number of 700 million cybercriminal attacks. It is estimated that almost 1,400 attacks occur every minute and, of course, companies are the main targets of criminals. Crimes such as ransomware – in which data is usually “held hostage” and companies have to pay a huge sum of money to prevent it from being published online – have become commonplace. But how long will the system – victims and insurers – be able to withstand such a volume of attacks?
There is no way to answer this question properly, especially when the victims themselves fail to take the necessary actions to protect their information. The lack of a professional focused on data protection or, in some situations, when the person supposedly responsible for the area accumulates so many functions that he or she is unable to perform this activity satisfactorily, makes this situation even worse.
Of course, designating a person in charge alone does not solve all compliance challenges, but it shows that the company is committed to structuring a set of practices that are consistent with the LGPD. However, this lack of prioritization does not only reflect the possibility of sanctions, but also the real risk of security incidents, which will generate considerable losses. The fines imposed by the ANPD are only part of the problem, as intangible losses, such as market trust, can be even more painful. In this scenario, more intense monitoring is seen as a necessary action to strengthen mechanisms for complying with the legislation and encourage organizations to put the privacy of data subjects on the agenda.
Hire a DPO or outsource?
Hiring a full-time DPO can be a complicated task, as there is not always demand or interest in allocating internal resources to this demand.
In this sense, outsourcing has been identified as a solution for companies that wish to comply with the legislation effectively, but do not have a large structure or resources to maintain a multidisciplinary team focused on data protection. When using a specialized service provider, the company gains access to professionals who have more experience in dealing with LGPD requirements in different market sectors. In addition, with an external person responsible, the company begins to view data protection as something integrated into the strategy, instead of a specific problem that only receives attention when a notification arrives or when a leak occurs.
This contributes to the creation of robust processes without the need for a large investment in recruiting, training and retaining talent. Outsourcing the data officer goes beyond simply appointing an outsider. The service provider usually provides ongoing consultancy, carrying out risk mapping and analysis activities, assisting in the development of internal policies, conducting training for teams and monitoring the evolution of legislation and ANPD regulations.
Furthermore, there is the advantage of having a team that already has experience in practical cases, which reduces the learning curve and helps prevent incidents that could generate fines or damage to reputation.
How far does the outsourced DPO's responsibility go?
It is important to note that outsourcing does not exempt the organization from its legal responsibilities. The idea is that the company maintains its commitment to ensuring the security of the data it collects and processes, as Brazilian legislation makes it clear that responsibility for incidents does not fall solely on the person in charge, but on the institution as a whole.
What outsourcing does is offer professional support that understands the necessary steps to keep the organization in line with the LGPD. The practice of delegating this type of task to an external partner is already adopted in other countries, where data protection has become a critical point of risk management and corporate governance. The European Union, for example, with the General Data Protection Regulation, requires many companies to appoint a data protection officer. There, several companies have chosen to outsource the service by hiring specialized consultancies, bringing theexpertise for “in-house”, without having to create an entire department for this.
According to the law, the person in charge must have the autonomy to report failures and propose improvements, and some international guidelines suggest that the professional must be free from internal pressures that limit their ability to monitor. Consulting firms that offer this service develop contracts and work methodologies that ensure this type of independence, maintaining transparent communication with managers and establishing clear governance criteria.
This mechanism protects both the company and the professional, who needs to have the freedom to indicate vulnerabilities even if this goes against consolidated practices within a given sector or department.
The intensification of ANPD's oversight is a sign that the scenario of tolerance is giving way to a firmer stance, and those who choose not to address this problem now may face heavier consequences in the not-too-distant future.
For companies that want a safer path, outsourcing is a choice that can balance cost, efficiency and reliability. With this type of partnership, it is possible to correct gaps in the internal environment and structure a compliance routine that will protect the company from both sanctions and risks associated with the lack of transparency and security in relation to the personal data under its responsibility.
