Even after so many years since the implementation of the General Data Protection Law (LGPD) in Brazil, many companies continue to violate the regulation. The LGPD, that came into force in September 2020, was created with the aim of protecting the personal data of Brazilian citizens, establishing clear rules on how companies should collect, store and process this information. However, despite the time elapsed, many companies have made little progress in implementing the standard.
Recently, The National Data Protection Authority (ANPD) has intensified oversight of companies that do not have a data protection officer, also known as Data Protection Officer (DPO). The lack of a DPO is one of the main violations identified, since this professional is essential to ensure that the company complies with the LGPD. The DPO acts as an intermediary between the company, data subjects and the ANPD, being responsible for monitoring compliance with data protection policies and guiding the organization on best practices.
And this data may just be the "tip of the iceberg". In reality, nobody knows what the number of companies that have not yet adhered to the standard is. There is no single official survey that consolidates the exact numbers of all companies not adhering to the LGPD Independent research indicates that, in general terms, the percentage can vary between 60% and 70% of Brazilian companies, especially among small and medium-sized ones. In the case of the big ones, the number is even bigger, reaching up to 80%.
Why the lack of a DPO makes a difference
In 2024, surely Brazil has surpassed the number of 700 million attacks by cybercriminals. It is estimated that nearly 1.400 beats per minute and, clear, companies are the main targets of criminals. Crimes such as ransomware – in which data generally become "hostages" and that, so that they are not published online, companies need to pay a huge financial sum, became commonplace. But until when the system – the victims and the insurers – will withstand such a volume of attacks?
There is no way to answer this question appropriately, even more so when the victims themselves fail to take the necessary actions to protect the information. The lack of a professional focused on data protection or, in some situations, when the supposed person responsible for the area accumulates so many functions that they cannot perform this activity satisfactorily, further aggravates this situation.
It is clear that the designation of a person in charge, by itself, does not solve all the adequacy challenges, but it shows that the company is committed to structuring a set of practices consistent with the LGPD. Meanwhile, this lack of prioritization reflects not only in the possibility of sanctions, but also in real risks of security incidents, that will generate a considerable loss. The fines imposed by the ANPD are only part of the problem, for the intangible losses, how market confidence, can be even more painful. In this panorama, the more intense oversight is seen as a necessary action to strengthen the mechanisms for compliance with the legislation and encourage organizations to prioritize the privacy of data subjects.
Hire a DPO or outsource?
Hiring a full-time DPO can be a complicated task, because there is not always the demand or interest in allocating internal resources for this demand.
In this sense, outsourcing has been pointed out as a solution for companies that wish to comply with the legislation effectively, but do not have a large structure or resources to maintain a multidisciplinary team focused on data protection. When resorting to a specialized service provider, the company gains access to professionals who have more experience in dealing with the requirements of the LGPD in different sectors of the market. Furthermore, with an external responsible party the company starts to view data protection as something integrated into the strategy, instead of a specific problem that only receives attention when a notification arrives or when a leak occurs.
This contributes to the creation of robust processes without the need for a large investment in recruitment, training and talent retention. The outsourcing of the data officer goes beyond simply appointing an outside person. The provider usually offers ongoing consulting, carrying out mapping and risk analysis activities, assisting in the development of internal policies, conducting training for the teams and monitoring the evolution of legislation and ANPD regulations.
Furthermore, there is the advantage of having a team that already has experience in practical cases, what reduces the learning curve and helps prevent incidents that could lead to fines or damage to reputation.
To what extent does the responsibility of the outsourced DPO go
It is important to emphasize that outsourcing does not exempt the organization from its legal responsibilities. The idea is for the company to maintain the commitment to ensure the security of the data it collects and processes, as Brazilian legislation makes it clear that responsibility for incidents does not rest solely with the person in charge, but about the institution as a whole.
What outsourcing does is provide professional support, that understands the necessary steps to keep the organization in line with the LGPD. The practice of delegating this type of task to an external partner is already adopted in other countries, where data protection has become a critical point of risk management and corporate governance. The European Union, for example, with the General Data Protection Regulation, requires many companies to appoint a data protection officer. There, various companies opted for outsourcing the service by hiring specialized consultancies, bringing theexpertisefor "inside the house", without needing to create an entire department for that.
The person in charge, according to the legislation, needs to have autonomy to report failures and propose improvements, and part of the international guidelines suggests that the professional should be free from internal pressures that limit their ability to oversee. The consultancies that offer this service develop contracts and work methodologies that ensure this type of independence, maintaining transparent communication with managers and establishing clear governance criteria.
This mechanism protects both the company and the professional itself, that needs to have the freedom to point out vulnerabilities even if this goes against established practices within a certain sector or department.
The intensification of ANPD's oversight is a sign that the tolerance scenario is giving way to a firmer stance, and those who choose not to address this problem now may face heavier consequences in the not-too-distant future.
For companies that want a safer path, outsourcing is a choice that can balance cost, efficiency and reliability. With this type of partnership, it is possible to correct gaps in the internal environment and structure a compliance routine that will protect the company from both sanctions and the risks associated with a lack of transparency and security regarding personal data that is under its responsibility.
