In Brazil, the enacted Data Protection Act, federal law nº 13,709/2018 has regulated the named profession ‘the data protection officer’ (D.P.O.). This profession still seems relatively unknown and very coveted lately. Make a Google search, and this will be enough to see that there is news of salaries for this role that can reach up to R$ 20,000 (twenty thousand reais) or approximately $5.000,00 (Five thousand dollars) per month. The average data protection officer salary in the United Kingdom is £42,691 per year or £21.89 per hour. 

The internationally known ‘the data protection officer’ (D.P.O.) is called in Brazil by the name ‘encarregado’, which means literally ‘someone in charge’.  

The D.P.O. is responsible for everything that involves collecting data, whether sensitive or not. This professional must be in charge of data processing. Due to this immense responsibility, the salary of a D.P.O. is considered high and promising.

The importance of data security appears on the national scene with great intensity. The bill n. 3,825/19, which has been provided for the regulation of cryptocurrency operations in Brazil, was filed by Senate’s deliberation during the vote on Project Law n. 4401/2021, which was recently approved in the Federal Senate with a return scheduled to the Chamber of Deputies for deliberation. The Bill approved in the Senate, n. 4401/2021, deals with the provider of virtual asset services. 

Some experts compare the data with input in the production chain, calling it ‘new oil’. These legal facts demonstrate the practical and economic relevance of the subject in the Brazilian legal-political scenario.

To understand the D.P.O., we need to differentiate it from the ‘controller’ and ‘operator’ figures, considering the concepts and functions established in Law 13.709/2018. To be clear, it is worth describing the content of article nº 5 of the law mentioned above, namely:

“Art. 5 For this law, it is considered:

VI – Controller: natural or legal person, governed by public or private law, responsible for decisions regarding the processing of personal data;

VII – operator: natural or legal person, governed by public or private law, who processes personal data on behalf of the controller;

VIII – person in charge: a person appointed by the controller and operator to act as a communication channel between the controller, data subjects and the National Data Protection Authority (ANPD)”.

The controller is nothing more than the company owner whose data is collected. It designates the purpose of data collection, i.e. when to delete it or when to store it. It, therefore, bears a higher risk of responding to damage.

The operator is responsible for processing the data. It can be a person who is internal to the company or a third external company that helps in processing the data, for example, that operates via a cloud platform. 

It operationalizes controller commands. The operator does not change essential rules established by the controller. Therefore, it does not influence crucial elements of the means of treatment (creation, modification and deletion of data) under penalty of responding as if the controller were. 

The operator can only decide on non-essential elements of the means of treatment – such as technical information security measures, for example, which antivirus should be installed on the storage server.

Following up, you have the ‘encarregado’. The responsibilities of the ‘Data Protection Officer’ (D.P.O.) are, in short:

(1) Act as a “bridge” between the company, the consumer and the supervisory body.

(2) Accept complaints and communication from the holders, provide clarifications and adopt measures;

(3) Inform and advise the data controller or data processor, controller and operator;

(4) Supervise, ensuring that the data processing policy is being complied with;

(5) Provide any information about data processing when requested;

(6) Be in communication with the ANPD (National Data Protection Agency).

A “Data Protection Officer” can be an individual or a legal entity. And to become a D.P.O., there is no specific certification. The law does not specify that one must have any certification or training. Still, it will be advisable for the person in charge to have basic notions of Law (Law) and data processing, more specifically, Information Technology (I.T.). 

Some certifications will help find better proposals in the market; for example, the EXIN certification, recognized worldwide, prepares the agent D.P.O. to deeply understand information security policies based on ISO 27001.

With the exponential growth of Digital Law, data protection stands out as a promising area full of challenges to be interpreted and implemented. And the D.P.O. is at the heart of the work to be carried out in this context.