How “DPO” as a Service can help small companies maintain compliance with the LGPD

Is your company subject to Lei Geral de Proteção de Dados (LGPD)—the Brasilian data protection law? Pursuant to Article 41, a key component to ensure compliance with the law is appointing a Data Protection Officer (DPO). Failure to comply with the law can result in warning or fine that can reach up to 2% of the organization’s annual revenue, but no more than R50 million, or $10 million.

According to @Olhar Digital, companies have started to offer “DPO as a service,” as well as specialized trainings on the law.[1] This can be particularly helpful for small businesses, start-ups, and potentially mid-sized businesses who may not be able to officially appoint DPO.

As of August 30^th, the National Data Protection Authority (ANPD) proposed to exempt smaller businesses from maintaining a DPO, by allowing smaller companies to have an alternative communication channel.[2] The proposed regulatory change attempts to find a balance between the rule prescribed within the LGPD and consider the size of the data processing agent. It is important to note, however, that the proposal excludes from framing organizations who process data that is considered “high risk,” such as children, or data that is collected via surveillance technologies. In other words, small businesses may still need to appoint a DPO if the organization collects and processes sensitive information.

As part of our service, MDS offers DPO as a service (DPOaaS) or Privacy Officer as a service (POaaS). Both services address the needs for a DPO or Privacy Officer under a variety of privacy regulations, such as the GDPR,[3] LGPD, and PIPEDA.[4] There is no one size fits all to privacy and legal compliance. Therefore, we provide a unique and tailored approach to privacy and legal compliance. 

Our DPOaaS and POaaS offerings provide our customers:

• Compliance with applicable legal obligations by utilizing intelligent technology that identifies an organization’s gaps and risk score of noncompliance
• Privacy impact assessments and documentation
• Continuous monitoring and quarterly audits
• Privacy trainings tailored to applicable regulatory regimes
• Policies and procedures that are driven by privacy by design and information security
• Proactive solutions to incident response

To learn more about our privacy services, you can connect with our in-house privacy attorney, Ashley Pusey, Esq. at apusey@mdsny.com.

[1] Vaz, Henrique, The importance of DPO after the implementation of the LGPD, Olhar Digital (Sept. 2, 2021), https://olhardigital.com.br/en/2021/09/02/pro/a-importancia-dpo-apos-a-implementacao-da-lgpd/

[2] ANPD Facilita LGPD para pequenos, Baguete (Sept. 1, 2021), https://www.baguete.com.br/noticias/01/09/2021/anpd-facilita-lgpd-para-pequenos

[3] The General Data Protection Regulation, which is the privacy law under the European Union regime.

[4] The Personal Information Protection and Electronic Documents Act, which is the privacy law that governs the Canadian regime.

The material and information provided in Maureen Data Systems (“MDS”) Content are for general information only and should not, in any respect, be relied on as professional advice. The MDS Content shall be construed as author-based content and commentary. Accordingly, no warranties or other guarantees are offered as to the quality of the opinions, commentary or anything else appearing in such MDS Content. MDS expressly reserves the right to delete stories at its and their sole discretion.