*By Jefferson Hairstyle
The General Data Protection Law will bring, over the years, a great gain in maturity for small and medium-sized companies with regard to information security. Despite having entered into force in 2020, it was in the last month of August that the sanctions and fines imposed by the law came into force, causing a strong demand for tools that contribute to the adequacy and, naturally, generating a series of doubts.
One of the main points of discussion in this adaptation process concerns the role of the “data manager”, a person appointed within the company to act as a communication channel between the “controller” (generally a legal entity), the “data ” (which has its data processed by that legal entity) and the National Data Protection Authority, an agency created by the government to ensure the implementation of the LGPD.
This confusion comes from the origins of the Law here in Brazil, since it was built on the basis of the GDPR, a standard that regulates the treatment of data created by the European Union, and which came into force in 2018. In the GDPR, there is the personality of the Data Protection Officer, a professional with an executive role, with the role of auditor and whose objective is to implement controls, ensure adequacy and supervise data protection standards.
As the LGPD underwent a long period of maturation until it was finally sanctioned by the Michel Temer government, much of the information that circulated among companies and those responsible for the technology area had European law as a reference. That's why, as the CEO of an important technology provider for information security, it's normal for me to come across, among clients, with this confusion between the role of the “in charge”, of the LGPD, and the “DPO”.
The truth is that the role of DPO does not exist in Brazilian legislation, because the person in charge does not share the same legal responsibilities as a Data Protection Officer. In Brazilian law, its role is to ensure the compliance of an organization, public or private, with the LGPD. This person in charge can even be a natural or legal person, who provides services to different companies.
The responsibility for the processing of personal data remains with the “controller”, who owns the data, or the “data operator”, a natural or legal person who effectively processes and uses them.
From the point of view of small and medium-sized companies, this differentiation of European law is, in a way, a relief. From the financial point of view, hiring or maintaining a professional or company with DPO responsibilities could generate unfeasible costs, which would only be within the reach of large corporations.
It is also positive for IT managers, who now have the responsibilities for implementing the LGPD shared with their superiors, contrary to a common logic of SMEs of delivering everything related to technology to the “IT guy”. The law makes it clear that taking care of personal data has to be a continuous activity and carried out by the different areas of the business.
*Jefferson Penteado is CEO of BluePex Ciber Security, a national information security solutions company
Notice: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies
EN 
PT 
