Even after so many years since the implementation of the General Data Protection Law (LGPD) in Brazil, many companies continue to violate the regulation. The LGPD, which came into force in September 2020, was created to protect the personal data of Brazilian citizens, establishing clear rules on how companies should collect, store, and process this information. However, despite the time that has passed, many companies have made little progress in implementing the regulation.
Recently, the National Data Protection Authority (ANPD) intensified inspections of companies that do not have a data protection officer, also known as a Data Protection Officer (DPO). The absence of a DPO is one of the main violations identified, as this professional is essential to ensure the company’s compliance with the LGPD. The DPO acts as an intermediary between the company, data subjects, and the ANPD, being responsible for monitoring compliance with data protection policies and guiding the organization on best practices.
And these figures may just be the ‘tip of the iceberg.’ In reality, no one knows the exact number of companies that have yet to comply with the regulation. There is no single official survey consolidating the exact figures of all non-compliant companies. Independent research suggests that, in general, the percentage could range between 60% and 70% of Brazilian companies, especially small and medium-sized ones. For larger companies, the number is even higher, possibly reaching 80%.
Why the absence of a DPO makes a difference
In 2024, Brazil certainly surpassed the number of 700 million cybercriminal attacks. It is estimated that nearly 1,400 scams occur every minute, and of course, companies are the primary targets of these criminals. Crimes such as ransomware—where data is often held ‘hostage’ and companies must pay a huge sum to prevent it from being published online—have become commonplace. But for how long will the system—the victims and insurers—withstand such a high volume of attacks?
There is no way to answer this question adequately, especially when victims themselves fail to take the necessary actions to protect their information. The lack of a dedicated data protection professional or, in some cases, when the supposed responsible person is overburdened with multiple roles and cannot perform this function satisfactorily, only exacerbates the situation.
Of course, appointing a DPO alone does not solve all compliance challenges, but it shows that the company is committed to structuring a set of practices aligned with the LGPD. However, this lack of prioritization does not only reflect potential sanctions but also real security incident risks that could lead to significant losses. The fines imposed by the ANPD are just one part of the problem, as intangible losses, such as market trust, can be even more painful. In this scenario, stricter oversight is seen as a necessary measure to reinforce compliance mechanisms and encourage organizations to prioritize data subject privacy.
Hiring a DPO or outsourcing?
Hiring a full-time DPO can be a challenging task, as there isn’t always sufficient demand or interest in allocating internal resources for this need.
In this sense, outsourcing has been highlighted as a solution for companies that want to comply with the law effectively but lack the structure or resources to maintain a multidisciplinary team focused on data protection. By hiring a specialized service provider, the company gains access to professionals with more experience in dealing with LGPD requirements across different market sectors. Moreover, with an external DPO, the company starts treating data protection as an integrated strategy rather than as a sporadic issue that only receives attention when a notification arrives or a leak occurs.
This contributes to the creation of robust processes without the need for substantial investment in recruitment, training, and talent retention. Outsourcing the DPO role goes beyond simply appointing an external person. The provider usually offers continuous consultancy, conducting risk mapping and analysis, assisting in internal policy development, providing team training, and monitoring updates to the legislation and ANPD regulations.
Additionally, there is the advantage of working with a team that already has practical experience, which reduces the learning curve and helps prevent incidents that could result in fines or reputational damage.
How far does the responsibility of an outsourced DPO extend?
It’s important to note that outsourcing does not exempt the organization from its legal responsibilities. The idea is that the company remains committed to ensuring the security of the data it collects and processes, as Brazilian legislation makes it clear that liability for incidents does not rest solely with the DPO but with the institution as a whole.
What outsourcing does is provide specialized support that understands the necessary steps to keep the organization aligned with the LGPD. The practice of delegating this type of task to an external partner is already adopted in other countries, where data protection has become a critical aspect of risk management and corporate governance. The European Union, for example, under the General Data Protection Regulation (GDPR), requires many companies to appoint a Data Protection Officer. There, many companies have chosen to outsource the service by hiring specialized consultancies, bringing the expertise ‘in-house’ without the need to create an entire department for it.
According to the law, the DPO must have the autonomy to report failures and propose improvements, and part of international guidelines suggests that the professional should be free from internal pressures that could limit their oversight capacity. Consulting firms that offer this service develop contracts and methodologies that ensure this independence, maintaining transparent communication with management and establishing clear governance criteria.
This mechanism protects both the company and the DPO, who must have the freedom to point out vulnerabilities even if it goes against established practices within a specific department or sector.
The ANPD’s intensified oversight is a sign that the era of tolerance is giving way to a firmer stance, and those who choose not to address this issue now may face harsher consequences in the near future.
For companies seeking a safer path, outsourcing is a choice that balances cost, efficiency, and reliability. With this type of partnership, it becomes possible to address internal gaps and structure a compliance routine that will protect the company from both sanctions and the risks associated with a lack of transparency and security regarding the personal data under its responsibility.
