What is DPO and what does this profession represent within a company are common questions for people who don’t deal with information security in their daily lives.
However, anyone who thinks that data protection is far from anyone’s day-to-day life, even if they’re not working, is mistaken.
The DPO (Data Protection Officer) is the professional responsible for the security of a company’s information, including the data of customers and suppliers who pass through the organization.
And speaking of security, only a verified mailing list can reach leads’ inboxes. So protect your mailing lists!
The profession of DPO emerged because of the advance of the internet and has been relevant since 2020, when the GDPR – General Data Protection Regulation – came into force.
Do you want to know if your company complies with the GDPR? We have an exclusive webinar on the subject!
What a DPO does
The Data Protection Officer (this is what the profession is called) is responsible for the data with its owners. In other words, the professional answers consumers’ questions or complaints about the collection and use of their data.
The DPO is also responsible for overseeing all activities involving the company’s own information and that of third parties, ensuring that the business complies with the GDPR and good practices.
In this way, the DPO analyzes how much and what data is collected, who has access, what this information will be used for and how it will be stored.
Based on all these observations, the professional draws up manuals and reports suggesting corporate adjustments in order to avoid problems.
What is DPO sounds like a simple function, but it’s not. This is because each company works in a different way and the data that passes through it is also handled differently.
This requires the professional to be frequently immersed in the company’s culture. They have to keep an eye on all the movements that involve information.
Here’s how the DPO profession came about.
How it all began
In 2014, a Facebook quiz began collecting data from millions of users. Cambridge Analytica, a political consulting firm, used this information to personalize its clients’ political campaigns.
As a result, several candidates were favored because their campaign ads were only shown to voters who were most susceptible to their persuasive arguments.
The problem is that Facebook is not a data collection company, and there is no permission from users to collect their personal information. This amounts to abusive data management practices and a violation of privacy.
In conclusion, 87 million people around the world had their data shared by Cambridge Analytica. All this happened because in 2014 there was no type of legislation created to protect users’ online privacy.
After the incident, the European Union created the GDPR – General Data Protection Regulation – which served as a model for other countries’ data and online privacy legislation.
Brazil enacted the General Data Protection Act in 2020 and the USA, the ADPPA (American Data Privacy and Protection Act) in 2022.
What are the types of DPO?
There are two DPO profiles. They are
Legal profile: these are the professionals who observe what can and cannot be done. For example: registration forms can collect sensitive data, as long as the user allows it.
It’s worth remembering the difference between personal and sensitive data. The former is identifying information such as telephone number and address, and the latter is information relating to intimacy, such as sexual and political preferences.
IT profile: these are web developers with technical cybersecurity skills. They are responsible for protecting against hacker attacks that steal company data.
The Data Protection Officer may tend more towards one profile than the other, or they can (and should) combine the two. The greater their knowledge of both responsibilities, the more protected the company will be.
Conclusion
Every online business receives and sends data from the company itself as well as from its customers, employees and suppliers.
Keeping track of all this information requires the presence of a trained professional. The DPO is a new profession, but one that is extremely necessary for companies that comply with the GDPR.
It’s important to note that companies that break the law are fined up to 2% of their turnover.
FAQ
Why do companies need a DPO?
The process of digitalization in companies requires data processing, and with the enactment of the GDPR, organizations need to comply with the rules in force for collecting and handling their own information as well as that of their customers.
Every company needs to have a Data Protection Officer on staff to avoid problems of non-compliance with the GDPR.
What are the duties of a DPO?
This professional represents the company before the National Data Protection Authority (ANPD), while answering consumers’ questions regarding the processing of their personal data.
The DPO also analyses all the information that passes through the organization in order to guarantee compliance with the GDPR.
How did this profession come about?
The Cambridge Analytica scandal exposed the favoring of political campaigns through the collection of data from Facebook accounts.
This led to the creation of the European Union’s first data protection law, the General Data Protection Regulation (GDPR). This model was used in the US to draft the ADPPA.
With the legislation came the need for a professional to monitor companies’ compliance with data protection rules.
What is the profile of this professional?
The DPO has a legal profile and an IT profile. The former is responsible for analyzing the things that can be done, and the latter is responsible for the technical side of cybersecurity.