loading...

Data Protection and Privacy and the CPO

Despite the Covid-19 pandemic, which has attracted attention from all over the world, issues related to the personal data protection arouse the interest of many people, especially here in Brazil, due to the force of the LGPD which was postponed by Provisional Measure 959 on April 29, 2020 to May 3, 2021.

This issue that ended up gaining much relevance with the releasing of GDPR on May 25, 2018 in the territories of the European Union which brought up the figure of the DPO – Data Protection Officer. The DPO must ensure that the organization processes the personal data of its team, customers, suppliers and any other individuals in accordance with the applicable data protection rules. According to the Brazilian LGPD, the role of the DPO is assumed by the “Encarregado”.

However, CCPA is the next in line, that is, the personal data protection law of California (USA) which came into force in July 2020.

For the purposes of the CCPA, it is important to note that the DPO figure is not referred to. However, the importance of having someone who can watch over the collection of personal data, as well as interact with consumers in matters relating to data protection is beginning to acquire strength in the USA, especially in California. And with this, the concept of the CPO – Chief Privacy Officer is strengthened by having the basic premises above. It is a corporate executive position charged with the development and implementation of policies designed to protect employee and customer data from unauthorized access.

It is important to note that this concept started to gain strength after the approval of the HIAA (the Health Insurance Portability and Accountability Act) in 1996, which started to demand that a professional be responsible for  the data of companies operating in the health sector in the USA.

Considering the phenomenon of globalization, it will not be uncommon for many transnational American companies to be subject to GDPR, which in itself would justify the need to have a DPO.

As the DPO has its specific requirements already defined, that is, (i) More than 5 years of experience with EU and global privacy laws, (ii) Experience with IT infrastructure and programming and (iii) Experience with audits of IT systems, there is a consensus that the CPO should have these skills as minimum requirements. On the other hand, at the present time, it will not be easy to find professionals with such a profile. The International Association of Privacy Professionals – IAPP estimated an initial need for 28,000 qualified professionals to assume these roles.

Here it is possible to understand in more depth the tasks to be performed by this professional:

1. Create a strategic andcomprehensive privacy program that defines, maintains, develops and implementspolicies and processes that allow consistent and effective privacy practicesthat minimize risks and guarantee the confidentiality of personal data, onpaper and / or digital.

2. Works with the organization´s seniormanagement, security and corporate compliance to establish governance for theprivacy program.

3. Plays a leading role in privacycompliance.

4. Ensures that the forms, privacy policiesand procedures are updated.

5. Establishes an ongoing process totrack, investigate and report inappropriate access and disclosure of personaldata information.

6. Performs or supervises theevaluation / analysis, mitigation and correction of privacy risks of initialand periodic information.

7. Performs ongoing compliancemonitoring activities, in coordination with other compliance functions and thecompany’s operational assessment.

8. Monitor patterns of inappropriateaccess and / or disclosure of protected health information.

9. Assumes a leadership role, toensure that the organization has and maintains adequate privacy andconfidentiality consents, authorization forms and notices and informationmaterials that reflect the current company and legal practices andrequirements.

10. Supervises, develops and offersinitial and ongoing privacy training to employees.

11. Participates in the development,implementation and continuous monitoring of compliance of all business partnerswith whom the company has a contract, to ensure that all privacy requirementsand responsibilities are met.

12. Performs the necessaryassessment, documentation and mitigation of breach risks. It works with HumanResources to ensure the consistent application of sanctions for breaches ofprivacy.

13. Manages processes to investigateand act on privacy and security incident complaints.

14. Fosters activities to promoteawareness of the privacy of information in the company.

15. Maintains current knowledge ofprivacy laws.

16. Manages all breach notificationprocesses required by the authorities.

However, a reasonable alternative to the impossibility of finding a professional with such skills, would be to outsource this service. Hiring someone who has the appropriate qualification to perform this function since there is no obligation for the duties of a CPO to be performed internally.

AUTHORS:

Douglas Leite

Alexandre Dalmasso