Even after so many years since the implementation of the General Data Protection Law (LGPD) in Brazil, many companies continue to violate the law. The LGPD, which came into effect in September 2020, was created with the aim of protecting the personal data of Brazilian citizens, establishing clear rules on how companies should collect, store, and process this information. However, despite the time that has passed, many companies have made little progress in implementing the law.
Recently, the National Data Protection Authority (ANPD) has intensified its oversight of companies that do not have a data protection officer (DPO). The lack of a DPO is one of the main infractions identified, as this professional is essential to ensure that the company complies with the LGPD (Brazilian General Data Protection Law). The DPO acts as an intermediary between the company, data subjects, and the ANPD, being responsible for monitoring compliance with data protection policies and guiding the organization on best practices.
And this data may only be the "tip of the iceberg." In reality, no one knows the exact number of companies that have not yet complied with the law. There is no single official survey that consolidates the exact numbers of all companies that have not adhered to the LGPD (Brazilian General Data Protection Law). Independent research indicates that, in general terms, the percentage may vary between 60% and 70% of Brazilian companies, especially among small and medium-sized enterprises. In the case of large companies, the number is even higher, reaching up to 80%.
Why the lack of a DPO makes a difference.
In 2024, Brazil will surely surpass 700 million cybercriminal attacks. It is estimated that almost 1,400 attacks occur per minute, and, of course, companies are the main targets of criminals. Crimes such as ransomware – in which data is usually held "hostage" and companies must pay a huge sum of money to prevent its publication online – have become commonplace. But for how long will the system – the victims and the insurers – be able to withstand such a volume of attacks?
There is no way to properly answer this question, especially when the victims themselves fail to take the necessary actions to protect their information. The lack of a professional focused on data protection, or, in some situations, when the person supposedly responsible for the area accumulates so many functions that they cannot perform this activity satisfactorily, further aggravates this situation.
It is clear that appointing a data protection officer, by itself, does not solve all compliance challenges, but it shows that the company is committed to structuring a set of practices consistent with the LGPD (Brazilian General Data Protection Law). However, this lack of prioritization not only reflects the possibility of sanctions, but also real risks of security incidents, which will generate considerable losses. The fines applicable by the ANPD (National Data Protection Authority) are only part of the problem, as intangible losses, such as market confidence, can be even more painful. In this context, more intense oversight is seen as a necessary action to reinforce compliance mechanisms and encourage organizations to prioritize the privacy of data subjects.
Should you hire a DPO or outsource?
Hiring a full-time DPO can be a complicated task, as there isn't always the demand or interest in allocating internal resources to this role.
In this sense, outsourcing has been pointed out as a solution for companies that wish to comply with the legislation effectively, but do not have a large structure or resources to maintain a multidisciplinary team focused on data protection. When resorting to a specialized service provider, the company gains access to professionals who have more experience in dealing with the requirements of the LGPD (Brazilian General Data Protection Law) in different market sectors. Furthermore, with an external responsible party, the company begins to view data protection as something integrated into its strategy, instead of a one-off problem that only receives attention when a notification arrives or when a data breach occurs.
This contributes to the creation of robust processes without requiring a large investment in recruitment, training, and talent retention. Outsourcing the data protection officer goes beyond simply appointing an outsider. The provider typically offers ongoing consulting, conducting risk mapping and analysis activities, assisting in the development of internal policies, conducting team training, and monitoring the evolution of legislation and ANPD regulations.
Furthermore, there is the advantage of having a team that already has experience in practical cases, which reduces the learning curve and helps prevent incidents that could lead to fines or reputational damage.
How far does the responsibility of the outsourced DPO extend?
It is important to emphasize that outsourcing does not exempt the organization from its legal responsibilities. The idea is that the company maintains its commitment to ensuring the security of the data it collects and processes, as Brazilian law makes it clear that responsibility for incidents does not fall solely on the data protection officer, but on the institution as a whole.
Outsourcing provides professional support that understands the necessary steps to keep the organization compliant with the LGPD (Brazilian General Data Protection Law). The practice of delegating this type of task to an external partner is already adopted in other countries where data protection has become a critical point in risk management and corporate governance. The European Union, for example, with the General Data Protection Regulation (GDPR), requires many companies to appoint a data protection officer. There, several companies have opted to outsource this service by hiring specialized consultancies, bringing expertise "in-house" without having to create an entire department for it.
According to legislation, the supervisor must have the autonomy to report failures and propose improvements, and some international guidelines suggest that the professional should be free from internal pressures that limit their supervisory capacity. Consulting firms that offer this service develop contracts and work methodologies that ensure this type of independence, maintaining transparent communication with managers and establishing clear governance criteria.
This mechanism protects both the company and the professional themselves, who needs the freedom to point out vulnerabilities even if this goes against established practices within a particular sector or department.
The increased scrutiny by the ANPD (National Data Protection Authority) is a sign that the climate of tolerance is giving way to a firmer stance, and those who choose not to address this problem now may face more serious consequences in the not-too-distant future.
For companies seeking a safer path, outsourcing is a choice capable of balancing cost, efficiency, and reliability. With this type of partnership, it's possible to correct gaps in the internal environment and structure a compliance routine that will protect the company from both sanctions and risks associated with a lack of transparency and security regarding personal data under its responsibility.
