Increased ANPD oversight puts companies on the wall

Even after so many years since the implementation of the General Data Protection Law (LGPD) in Brazil, many companies continue to violate the norm.The LGPD, which came into force in September 2020, was created with the aim of protecting the personal data of Brazilian citizens, establishing clear rules on how companies should collect, store and treat this information.However, despite the elapsed time, many companies have made little progress in implementing the standard.

Recently, the National Data Protection Authority (ANPD) has intensified the supervision over companies that do not have a data controller, also known as Data Protection Officer (DPO). The lack of a DPO is one of the main infringements identified, since this professional is essential to ensure that the company is in compliance with the LGPD. The DPO acts as an intermediary between the company, data holders and the ANPD, being responsible for monitoring compliance with data protection policies and for guiding the organization on best practices.

And this data may be only the “point of the iceberg”. In reality, no one knows what is the number of companies that have not yet adhered to the standard. There is no single official survey that consolidates the exact numbers of all companies not adhering to the LGPD Independent research indicates that, in general terms, the percentage can vary between 60% and 70% of Brazilian companies, especially among small and medium-sized ones. In the case of large ones, the number is even higher, and can reach 80%.  

Why the lack of a DPO makes a difference

In 2024, surely Brazil has exceeded the number of 700 million cybercriminal attacks. It is estimated that almost 1,400 scams per minute occur and, of course, companies are the main targets of criminals. Crimes such as ransomware (in which data usually becomes 1“ and that, in order for it not to be published online, companies need to pay a huge financial sum, have become commonplace. But how long will the system 's victims and insurers ?

There is no way to answer this question appropriately, especially when the victims themselves fail to take the necessary actions for the protection of information. The lack of a professional focused on data protection or, in some situations, when the alleged person responsible for the area accumulates so many functions that he cannot perform this activity satisfactorily, further aggravates this situation.  

Of course, the designation of a person in charge, by itself, does not solve all the adequacy challenges, but shows that the company is committed to structuring a set of practices consistent with the LGPD. However, this lack of prioritization does not only reflect the possibility of sanctions, but also real risks of security incidents, which will generate considerable damage. The fines applicable by the ANPD are only part of the problem, because intangible losses, such as market confidence, can be even more painful. In this scenario, the most intense surveillance is seen as a necessary action to strengthen the mechanisms of compliance with legislation and encourage organizations to put the privacy of the holders on the agenda.  

Hiring a DPO or outsourcing?

Hiring a full-time DPO can be a tricky task, as there is not always the demand or interest in allocating internal resources to this demand.  

In this sense, outsourcing has been pointed out as a solution for companies that want to comply with the legislation effectively, but do not have a large structure or resources to maintain a multidisciplinary team focused on data protection. When a specialized service provider is used, the company gains access to professionals who have more experience to deal with the requirements of the LGPD in different market sectors.In addition, with an external responsible the company starts to view data protection as something integrated into the strategy, instead of a specific problem that only receives attention when a notification arrives or when a leak occurs.  

This contributes to the creation of robust processes without requiring a large investment in recruitment, training and retention of talent. Outsourcing the data officer goes beyond simply appointing an outsider. The provider usually provides continuous consulting, performing mapping and risk analysis activities, assisting in the development of internal policies, conducting training for teams and monitoring the evolution of legislation and ANPD regulations.  

In addition, there is the advantage of having a team that already has experience in practical cases, which reduces the learning curve and helps prevent incidents that could generate fines or damage to reputation.  

How far does the responsibility of the outsourced DPO go

It is important to highlight that outsourcing does not exempt the organization from its legal responsibilities. The idea is that the company maintains the commitment to ensure the security of the data it collects and treats, because Brazilian law makes it clear that the responsibility for incidents does not fall only on the person in charge, but on the institution as a whole.  

What outsourcing does is offer a professionalized support, which understands the necessary ways to keep the organization in line with the LGPD. The practice of delegating this type of task to an external partner is already adopted in other countries, where data protection has become a critical point of risk management and corporate governance. The European Union, for example, with the General Data Protection Regulation, requires many companies to appoint a data protection officer. There, several companies have opted for outsourcing of the service with the hiring of specialized consultancies, bringing the expertise for “within the” house, without having to create a whole department for it.  

The person in charge, according to the legislation, needs to have autonomy to report failures and propose improvements, and part of the international guidelines suggests that the professional should be free of internal pressures that limit their capacity for supervision. Consultancies that offer this service develop contracts and work methodologies that ensure this type of independence, maintaining transparent communication with managers and establishing clear governance criteria.  

This mechanism protects both the company and the professional himself, who needs to be free to indicate vulnerabilities even if this goes against consolidated practices within a particular sector or department.  

The intensification of the ANPD's supervision is a sign that the tolerance scenario is giving way to a firmer stance, and those who choose not to address this problem now may face heavier consequences in the not too distant future.  

For companies that want a safer path, outsourcing is a choice capable of balancing cost, efficiency and reliability. With this type of partnership, it is possible to correct gaps in the internal environment and structure a compliance routine that will protect the company from both sanctions and risks associated with lack of transparency and security in relation to personal data that is under its responsibility.