Even after so many years since the implementation of the General Data Protection Law (LGPD) in Brazil, many companies continue to violate the regulation. The LGPD, which came into effect in September 2020, was created with the aim of protecting the personal data of Brazilian citizens, establishing clear rules on how companies should collect, store, and process this information. However, despite the elapsed time, many companies have made little progress in implementing the standard.
Recently, the National Data Protection Authority (ANPD) has intensified oversight of companies that do not have a Data Protection Officer (DPO). The lack of a DPO is one of the main violations identified, as this professional is essential to ensure that the company complies with the LGPD. The DPO acts as an intermediary between the company, data subjects, and the ANPD, being responsible for monitoring compliance with data protection policies and guiding the organization on best practices.
And these data may be just the "tip of the iceberg". In reality, no one knows the number of companies that have not yet adopted the standard. There is no single official survey that consolidates the exact numbers of all companies not compliant with LGPD. Independent research indicates that, in general, the percentage may vary between 60% and 70% of Brazilian companies, especially among small and medium-sized enterprises. In the case of the large ones, the number is even higher, reaching up to 80%.
Why the lack of a DPO makes a difference
In 2024, Brazil likely surpassed 700 million cybercriminal attacks. It is estimated that nearly 1,400 scams occur per minute, and of course, companies are the main targets of criminals. Crimes like ransomware – in which data often becomes "hostage" and, to prevent it from being published online, companies have to pay a huge sum of money – have become commonplace. But how long will the system – the victims and the insurers – endure such a volume of attacks?
There is no way to answer this question appropriately, especially when the victims themselves fail to take the necessary actions to protect the information. The lack of a professional focused on data protection or, in some situations, when the supposed person responsible for the area accumulates so many functions that they cannot perform this activity satisfactorily, worsens this situation even more.
Of course, appointing a person in charge alone does not solve all compliance challenges, but it shows that the company is committed to establishing a set of practices consistent with the LGPD. However, this lack of prioritization not only reflects in the possibility of sanctions but also in real security incident risks, which will cause considerable damage. The fines imposed by the ANPD are only part of the problem, as intangible losses, such as market trust, can be even more painful. In this context, more intense oversight is seen as a necessary action to strengthen compliance mechanisms and encourage organizations to prioritize the privacy of data subjects.
Hire a DPO or outsource?
Hiring a full-time DPO can be a complicated task, as there is not always the demand or interest in allocating internal resources for this need.
In this sense, outsourcing has been pointed out as a solution for companies that want to comply with the legislation effectively but do not have a large structure or resources to maintain a multidisciplinary team focused on data protection. When resorting to a specialized service provider, the company gains access to professionals with more experience in handling LGPD requirements across different market sectors. Furthermore, with an external responsible party, the company begins to see data protection as an integral part of its strategy, rather than a one-time issue that only receives attention when a notification arrives or when a leak occurs.
This contributes to the creation of robust processes without the need for a substantial investment in recruitment, training, and talent retention. The outsourcing of the data officer goes beyond simply appointing an external person. The provider typically offers ongoing consulting, performing risk mapping and analysis activities, assisting in the development of internal policies, conducting training for teams, and monitoring the evolution of legislation and ANPD regulations.
Additionally, there is the advantage of having a team with practical experience, which reduces the learning curve and helps prevent incidents that could result in fines or damage to reputation.
How far does the outsourced DPO's responsibility go?
It is important to emphasize that outsourcing does not exempt the organization from its legal responsibilities. The idea is that the company maintains its commitment to ensuring the security of the data it collects and processes, as Brazilian legislation makes it clear that responsibility for incidents does not fall solely on the data controller, but on the institution as a whole.
What outsourcing does is provide specialized support that understands the necessary steps to keep the organization in line with the LGPD. The practice of delegating this type of task to an external partner is already adopted in other countries, where data protection has become a critical point of risk management and corporate governance. The European Union, for example, with the General Data Protection Regulation, requires many companies to appoint a data protection officer. There, several companies opted for outsourcing the service by hiring specialized consulting firms, bringing theexpertise for "inside the house," without needing to create an entire department for it.
The person in charge, according to legislation, must have autonomy to report failures and propose improvements, and international guidelines suggest that the professional should be free from internal pressures that limit their oversight capacity. Consulting firms that offer this service develop contracts and work methodologies that ensure this type of independence, maintaining transparent communication with managers and establishing clear governance criteria.
This mechanism protects both the company and the professional themselves, who need the freedom to report vulnerabilities even if it goes against established practices within a certain sector or department.
The intensification of ANPD's oversight is a sign that the tolerance landscape is giving way to a firmer stance, and those who choose not to address this issue now may face heavier consequences in the not-too-distant future.
For companies seeking a safer path, outsourcing is a choice capable of balancing cost, efficiency, and reliability. With this type of partnership, it is possible to address gaps in the internal environment and establish a compliance routine that will protect the company from sanctions as well as risks associated with lack of transparency and security regarding the personal data under its responsibility.
