Brazil is requiring that all central government organizations appoint a data protection officer (DPO), who will be responsible for the appropriate treatment of personal data at each institution.
According to the Digital Government Secretariat (SGD) at the Ministry of Economy, the DPO is a key role when it comes to compliance with the General Data Protection Regulations (LGPD, in the Portuguese acronym) and will act as a communication channel between the government agencies, the data holders and the National Data Protection Authority (ANPD).
The DPOs within the federal government bodies will also ensure that all the procedures needed to ensure the privacy of citizens and the protection of their personal data are in place.
The requirement was issued by the SGD in November 22, with a 30-day deadline for the agencies to appoint their data officers. So far, around 55% of the government bodies, or 106 organizations in total, have complied with the directive.
With central government departments behind schedule, the SGD said the amount of DPOs that have been appointed so far is not satisfactory, and the Secretariat said it has “recently reinforced the priority of nominating of those in charge [of data protection] to the government bodies”.
In order to avoid conflicts of interest, the SGD has determined that the DPOs are not members of the IT team of the government body in question, or have anything to do with the management of the systems of the organization.
In addition, the SGD noted that the DPO must sufficiently skilled and preferably combine expertise in the areas of privacy management and protection of personal data, legal analysis, risk management, data governance and access to information in the public sector. The individual will also be be responsible for ongoing training of teams on issues of privacy and protection of personal data.
Also according to the regulations issued by the SGD, DPOs need to have direct access to senior management, and also support administrative units in responding to requests for information related to personal data processing of personal data.