Even after so many years since the implementation of the General Data Protection Law (LGPD) in Brazil, many companies continue to violate the regulation. The LGPD, which came into effect in September 2020, was created to protect the personal data of Brazilian citizens, establishing clear rules on how companies should collect, store, and process this information. However, despite the time that has passed, many companies have made little progress in implementing the regulation.
Recently, the National Data Protection Authority (ANPD) intensified inspections of companies that do not have a data protection officer, also known as a Data Protection Officer (DPO). The lack of a DPO is one of the main violations identified, as this professional is essential to ensure that the company complies with the LGPD. The DPO acts as an intermediary between the company, data subjects, and the ANPD, being responsible for monitoring compliance with data protection policies and guiding the organization on best practices.
And this data may only be the ‘tip of the iceberg.’ In reality, no one knows how many companies have yet to comply with the regulation. There is no single official survey that consolidates the exact numbers of all non-compliant companies with the LGPD. Independent research suggests that, in general, the percentage may vary between 60% and 70% of Brazilian companies, especially small and medium-sized ones. For large companies, the number is even higher, potentially reaching 80%.
Why the lack of a DPO makes a difference
In 2024, Brazil certainly surpassed the number of 700 million cybercriminal attacks. It is estimated that nearly 1,400 scams occur every minute, and of course, companies are the main targets of criminals. Crimes like ransomware—where data is typically held ‘hostage’ and companies must pay a large sum to prevent its online publication—have become commonplace. But how long will the system—the victims and insurers—endure such a volume of attacks?
There is no way to answer this question appropriately, especially when the victims themselves fail to take the necessary actions to protect their information. The lack of a professional focused on data protection or, in some cases, when the supposed person responsible for the area accumulates so many functions that they cannot perform this activity satisfactorily, further aggravates this situation.
Of course, appointing a DPO alone does not solve all compliance challenges, but it shows that the company is committed to structuring a set of practices aligned with the LGPD. However, this lack of prioritization not only reflects potential sanctions but also real risks of security incidents, which will cause considerable damage. The fines imposed by the ANPD are only part of the problem, as intangible losses, such as market trust, can be even more painful. In this scenario, stricter enforcement is seen as a necessary action to strengthen compliance mechanisms and encourage organizations to prioritize data subjects’ privacy.
Hire a DPO or outsource?
Hiring a full-time DPO can be a complicated task, as there is not always the demand or interest in allocating internal resources for this need.
In this sense, outsourcing has been pointed out as a solution for companies that want to comply with the legislation effectively but do not have a large structure or resources to maintain a multidisciplinary team focused on data protection. When turning to a specialized service provider, the company gains access to professionals with more experience handling LGPD requirements across different market sectors. Moreover, with an external responsible party, the company starts to view data protection as something integrated into its strategy, rather than an isolated issue that only receives attention when a notification arrives or a leak occurs.
This contributes to the creation of robust processes without the need for significant investment in recruitment, training, and talent retention. Outsourcing the data protection officer goes beyond simply naming an external person. The provider usually offers continuous consultancy, performing risk mapping and analysis activities, assisting in the development of internal policies, conducting team training, and monitoring the evolution of legislation and ANPD regulations.
Additionally, there is the advantage of having a team with practical experience, which reduces the learning curve and helps prevent incidents that could result in fines or reputational damage.
How far does the responsibility of the outsourced DPO go?
It is important to note that outsourcing does not exempt the organization from its legal responsibilities. The idea is that the company remains committed to ensuring the security of the data it collects and processes, as Brazilian legislation makes it clear that responsibility for incidents does not fall solely on the DPO but on the institution as a whole.
What outsourcing does is provide professionalized support that understands the necessary steps to keep the organization aligned with the LGPD. The practice of delegating this type of task to an external partner is already adopted in other countries, where data protection has become a critical point of risk management and corporate governance. The European Union, for example, with the General Data Protection Regulation (GDPR), requires many companies to appoint a Data Protection Officer. There, many companies opted for outsourcing the service by hiring specialized consultancies, bringing the expertise in-house, without needing to create an entire department for it.
The DPO, according to the legislation, must have the autonomy to report failures and propose improvements, and part of international guidelines suggests that the professional should be free from internal pressures that limit their oversight capacity. Consultancies offering this service develop contracts and methodologies that ensure this independence, maintaining transparent communication with managers and establishing clear governance criteria.
This mechanism protects both the company and the professional, who needs the freedom to point out vulnerabilities even if it goes against established practices within a particular sector or department.
The intensification of ANPD inspections is a sign that the tolerance scenario is giving way to a firmer stance, and those who choose not to address this issue now may face heavier consequences in the not-too-distant future.
For companies seeking a safer path, outsourcing is a choice that balances cost, efficiency, and reliability. With this type of partnership, it is possible to address gaps in the internal environment and structure a compliance routine that will protect the company from both sanctions and the risks associated with a lack of transparency and security regarding the personal data under its responsibility.
