With the entry into force  of the LGPD (data protection law), an increased demand for  data protection specialists was expected. Has this transpired?

The LGPD requires all businesses to have a data privacy professional, either a DPO or a person in charge, with the exception of  small data-processing agents. However, many business-people are not even aware of the existence of the law, let alone the detail of the obligation for companies to hire professionals capable of managing data protection. Until the LGPD awareness barrier is broken, recourse to data-privacy professionals will remain limited.

What is the process for evaluating a prospective DPO? What profile and soft skills are needed?

The expected profile is, mainly,  deep knowledge of the LGPD combined with the requisite technical knowledge to be able to carry out data protection in practice, thus avoiding cyberattacks. This is achieved through mastery of information and IT security measures. Legal knowledge is also necessary for data privacy professionals to understand what is called for. Finally, knowledge of governance and processes is indispensable, as we need technical and administrative measures to be part of the company’s ecosystem.

Regarding soft skills, good communication skills are a must in order to bridge gaps between all sectors on the subject of data protection. In addition, leadership capabilities are needed to steer  organization where it needs to go and holistic view required of how personal data is handled across all areas of the business.

We need the LGPD to be discussed outside the bubble of the legal profession.

You took over as president of the ANPPD in 2019, a year before the LGPD came into force.Whatchanges have you observed in the data-protection landscape since then?

The number of people who know about the LGPD today is most impressive! At first, I was called crazy, and one person evenasked: “Davis, why do you want to bring a European law to Brazil? Brazil has never had wars like Europe, so worrying about privacy is only for Europeans.”

This is just one example of the prevailing mindset at the time, including by professionals who nowadays work with and earn a lot of money from the regulation and have recognize their error. Another factor that surprised me was the number of multidisciplinary professionals talking to each other, something never before seen in the history of this country. The LGPD put information technology professionals, lawyers, directors and governance together on a continuous basis at the same table, not just to talk about the opening or closing of companies. However, much still needs to be done.

We need the LGPD to be discussed outside the bubble of these professionals, for it to reach entrepreneurs and politicians! Getting these two groups on board is the most important factor in ensuring the LGPD is properly enforced in Brazil .

In the case of businessmen, it is important, because if they do not buy into the idea of data protection within corporations, data-privacy professionals will not be recognized, and adequacy projects will not be prioritized.

In the case of politicians, during their election campaigns, in addition to the traditional issues such as public safety, healthcare, education, and the economy, now they must also take a position on privacy and data protection. If this does not happen, they will be running outdated political campaigns for people from the last century! The politician whocampaigns on current digital problems (hacks, privacy violations, fake news, etc.),  will gain traction with millennials and Gen Z – who will back someone championing these issues..

What developments in the world of data protection can we expect in 2023?

An increase in hack on companies: the pandemic forced many employees to stay at home, but companies could not adequately protect their computer networks, which began to be accessed from home computers, which did not have the same level of security, serving as weak spots through which various cyberattacks were made. The chickens have come home to roost with these vulnerabilities, and soon we will see many people and companies saying that they had their social network accounts hacked and corporate data stolen.

Lastly, I predict we will see the first companies fined for not protecting data: at the end of February, the ANPD released the dosimetry process for sanctions, which means that administrative fines can already be applied. The National Authority has also published a list of processes that are in progress, and we believe that in the first half of the year we will learn which companies will be the first to be fined.

Another trend will be people claiming compensation from companies for damages caused by breaches of privacy: it is a fact that data breaches can damage people’s image, and art. 42 of the LGPD, states that the institutions must compensate the damages to the people who had their image affected by a data leak. The problem is that there will also be people acting in bad faith who will initiate lawsuits against a company in the hope of securing compensation. We need to see how the Brazilian judiciary deals with this situation.

Then there is the establishment of Brazil’s National Data-Protection Day, withthe bill currently going through congress, which after long study has proposed the  August 14th as National Data Protection Day, a date which would allow several schools and universities will be able to carry out educational campaigns helping issue of privacy to take root culturally in Brazilian society. This project is great, and we hope that it will be approved as soon as possible.

However, we have a big problem, an amendment was proposed to the bill which would see the date changeto July 17th,  a month when schools and universities are off. This would be a shame, because we would be the only country in the world to have a data protection day during a period when the schools are closed. There is no technical, legal or scientific basis to support this change, just an emotional argument in honor a distinguished deceased Brazilian, whose merit is indisputable, however, more important than National Data Protection Day falling on the date of their death, is that we establish a culture of data privacy among young people! We urgently need federal deputies and the president of the republic to veto this amendment to Bill 2076/2022 – an amendment many are not even aware of.

By: Daniel Dias