Unova
Loading...
Logo Orange
DPO in practice: how the Data Protection Officer strengthens LGPD compliance in your organisation

DPO in practice: how the Data Protection Officer strengthens LGPD compliance in your organisation

Understand the practical role of the DPO (Data Protection Officer), their responsibilities and challenges, and how this function strengthens LGPD compliance, reduces risks and organises data governance in your organisation.

DPO, Encarregado, Data Protection Officer… the names change, but the role is the same: being the focal point for privacy within the organisation. Since Brazil’s LGPD (General Data Protection Law) came into force, many companies have rushed to update policies, contracts and cookie banners, but still have doubts about what the DPO actually does in practice.

More than a “mandatory role”, the DPO is a central piece of personal data governance. They connect internal teams, data subjects and the Brazilian Data Protection Authority (ANPD), helping to turn legal rules into real, day-to-day processes.

In this article, you will understand:

  • what the DPO/Data Protection Officer is and why this role is so important;
  • when the role is mandatory and why it can be valuable even when it is not;
  • the main responsibilities and practical challenges of the DPO;
  • how to choose between an internal, external or hybrid DPO model;
  • and practical steps to structure the function in your organisation.

1. What is the DPO (Data Protection Officer) under the LGPD?

The LGPD defines the Encarregado (DPO) as the person appointed by the controller to act as a communication channel between:

  • the company (controller);
  • data subjects (customers, employees, suppliers, etc.);
  • and the ANPD (Brazilian National Data Protection Authority).

In practice, this means the DPO is responsible for:

  • receiving and coordinating data subject requests (access, rectification, erasure, portability, objection, etc.);
  • guiding internal teams on how to handle personal data correctly;
  • supporting the company in security incidents and in its relationship with the ANPD;
  • and helping to demonstrate that the organisation is in continuous compliance, not only “compliant on paper”.

In other words, the DPO is not just a symbolic figure. They are the privacy guardian within the business.

2. Is a DPO mandatory for every company?

Article 41 of the LGPD states that the controller should appoint an Encarregado (DPO) for the processing of personal data, but also allows the ANPD to define situations in which small businesses or low-risk processing activities may be exempted.

Even when there is no strict legal obligation, in practice, having a DPO (internal or external):

  • organises personal data governance and avoids conflicting decisions between departments;
  • facilitates the relationship with the ANPD in case of incidents or inspections;
  • and shows the market that the company takes privacy seriously, which can be a competitive advantage.

In short: seeing the DPO as an investment in reputation and risk reduction tends to bring more return than viewing the role only as a compliance cost.

3. Key responsibilities of the DPO in practice

On a daily basis, the DPO acts as an integration hub between legal, information security, technology, compliance, HR, marketing and other teams. Here are some of their most important responsibilities.

3.1. Handling and engaging with data subjects

The DPO must ensure that the company has channels and structured processes to respond to data subject requests, such as:

  • confirmation of processing and access to personal data;
  • rectification of incomplete, inaccurate or outdated data;
  • anonymisation, blocking or erasure where applicable;
  • portability, withdrawal of consent, objection to processing based on legitimate interests, among others.

Beyond simply replying, the DPO must ensure that responses are provided within reasonable time frames, using clear and accessible language. This reduces conflicts, administrative complaints and even litigation.

3.2. Point of contact with the ANPD

When the ANPD requests information, clarifications or initiates an investigation, the DPO acts as the organisation’s technical representative. They support:

  • the collection of internal information;
  • the preparation of well-founded responses;
  • the proposal of action plans to correct any identified shortcomings.

Transparent communication with the ANPD, mediated by the DPO, is key to demonstrating good faith and diligence, which can have a direct impact on how sanctions are assessed.

3.3. Guidance, training and privacy culture

Another central role of the DPO is to act as an “internal educator” on privacy and data protection, promoting:

  • regular training for teams that work directly with personal data;
  • support materials, quick reference guides and FAQs to answer everyday questions;
  • internal campaigns to reinforce good practices, such as secure e-mail use, phishing awareness, information classification, and more.

Without culture, the LGPD becomes just a set of documents. With culture, privacy becomes part of decision-making.

3.4. Supporting data mapping and governance

The DPO also supports the inventory of personal data processing activities, helping to answer questions such as:

  • What personal data do we collect?
  • For what purposes? What is the legal basis?
  • Where is this data stored? For how long?
  • With whom do we share it (third parties, processors, partners)?

This mapping is the foundation for drafting policies, reviewing contracts, defining security controls and reducing excesses (for example, collecting data that are not really needed).

3.5. Managing risks and incidents

From a security standpoint, the DPO does not replace the technical team, but must be involved in privacy risk management. This includes:

  • participating in the assessment of new projects that involve personal data (privacy by design);
  • assessing the severity and impact of incidents involving personal data (breaches, unauthorised access, etc.);
  • supporting the decision on whether to notify the ANPD and data subjects, where required;
  • following up on remediation plans and improvements after an incident.

A well-managed response, coordinated by the DPO, can significantly reduce the reputational and regulatory damage of an incident.

4. What is the ideal profile for a DPO?

There is no single mandatory educational background, but some elements are common in the most successful profiles:

  • Multidisciplinary mindset: the DPO needs to understand, at least at an intermediate level, concepts from law, technology, information security and business processes.
  • Independence: the role should not be subordinated to short-term interests that could compromise data protection. The DPO must be free to highlight risks and to say “no”.
  • Clear communication: they will often be asked to explain complex topics in simple terms to managers, staff, customers – and to the ANPD itself.
  • Access to senior management: the DPO must be heard in strategic decisions involving personal data, not simply “informed afterwards”.

Organisations that treat the DPO as a business partner, rather than just a “legal gatekeeper”, tend to achieve better results.

5. Internal DPO, external DPO or hybrid model?

A common question is whether the DPO should be someone from within the organisation or an external professional/service provider. Each model has its strengths and challenges.

5.1. Internal DPO

Advantages:

  • deep knowledge of the culture, processes and internal systems;
  • closer relationship with teams and day-to-day operations;
  • faster responses in decisions that require detailed business knowledge.

Challenges:

  • avoiding conflicts of interest (for example, where the DPO is also the director who approves aggressive data-driven marketing campaigns);
  • requires ongoing investment in training and updates on privacy and security;
  • risk of overload if the DPO accumulates other strategic responsibilities.

5.2. External DPO (as a Service)

Advantages:

  • brings practical experience from different clients and sectors;
  • tends to have a more independent view, less subject to internal pressure;
  • can be more cost-effective for organisations that do not have enough demand to justify a full-time internal DPO.

Challenges:

  • needs a strong communication channel with an internal focal point to receive information and implement actions;
  • requires well-structured contracts and a clear definition of responsibilities and SLAs;
  • if not integrated into day-to-day work, can become just an “on-call consultant” with little real impact.

5.3. Hybrid model

Many organisations opt for a hybrid model in which:

  • there is an internal person (or small committee) responsible for privacy and data protection,
  • supported by an external DPO who provides strategic insight, help with complex cases and interaction with the ANPD.

This model often balances cost, proximity to the business and independence.

6. How to structure the DPO function in your organisation

If your organisation is just starting to structure the DPO role, some practical steps can help put things in order.

6.1. Formalise the appointment and scope

  • Officially record the appointment of the DPO (for example, in an internal resolution, board minutes or contract).
  • Define who the DPO reports to (ideally, senior leadership or the board).
  • Clearly describe the DPO’s responsibilities, boundaries and autonomy.

6.2. Create official communication channels

  • Set up a dedicated e-mail address for data subjects and the ANPD (for example, dpo@yourcompany.com).
  • Include information about the DPO and contact details in your privacy notice and on your corporate website.
  • Establish an internal workflow to log, handle and respond to data subject requests.

6.3. Map processes and personal data

With the DPO’s support, create an inventory of personal data processing activities:

  • what data are collected in each process (onboarding, HR, sales, support, etc.);
  • what purpose and legal basis apply;
  • where these data are stored (internal systems, cloud, spreadsheets);
  • with whom they are shared (processors, partners, suppliers).

This map will be the basis for identifying risks, prioritising compliance projects and defining security controls.

6.4. Update policies, contracts and procedures

  • Review internal and external privacy policies so that they reflect reality as shown in the data mapping.
  • Adjust contracts with processors to include data protection clauses, responsibilities and security obligations.
  • Create specific procedures for critical topics: data retention and disposal, incident response, use of personal devices (BYOD), remote work, and so on.

6.5. Invest in ongoing training

Privacy is not solved with a single workshop. The DPO should plan recurring initiatives, such as:

  • onboarding for new employees with a data protection module;
  • annual training for critical areas (marketing, customer service, IT, HR);
  • short campaigns on key dates (Safer Internet Day, Data Privacy Day, etc.).

7. Common mistakes when implementing the DPO role

Some mistakes can undermine the effectiveness of the DPO and even create a false sense of compliance:

  • Appointing a “figurehead” DPO with no time or autonomy to act.
  • Putting all LGPD responsibility onto the DPO while other areas continue to process data as before.
  • Leaving the DPO out of major decisions about new systems, integrations, campaigns and partnerships that involve personal data.
  • Failing to keep evidence of decisions, training, incidents and measures taken. Without documentation, it is hard to prove good faith during an inspection.

8. Best practices for a DPO that delivers results

For the DPO to genuinely strengthen LGPD compliance in your organisation and deliver real value, some best practices help:

  • Involving the DPO from the beginning of new projects that involve personal data (privacy by design).
  • Keeping the processing inventory up-to-date and integrated with other controls (security, compliance, enterprise risk).
  • Defining privacy metrics, such as:
    • average response time to data subjects;
    • number of incidents and their severity;
    • training participation levels;
    • status of compliance action plans.
  • Building a culture in which staff feel comfortable reporting incidents and doubts without fear of immediate punishment.

9. Conclusion: the DPO as a strategic ally of the LGPD

The DPO is not a “luxury” reserved for large corporations. In a context where personal data are increasingly valuable – and regulated – having a professional (or dedicated structure) focused on privacy is a way to:

  • reduce legal, regulatory and reputational risks;
  • organise internal processes and accountabilities;
  • build trust with customers, partners and employees;
  • and turn the LGPD into a competitive advantage rather than just an obligation.

If your organisation has not yet clearly structured the DPO role, starting with a simple diagnosis and an objective action plan is already a major step. What matters is that the Encarregado exists, is respected and has real conditions to strengthen the culture of data protection across the organisation.

Take control of your personal data.

Manage consents and preferences with transparency – in compliance with LGPD/GDPR.

Start for free now

We use cookies to improve your experience

Some are essential and others help us understand how you use the site.
You can accept all, reject non-essential ones or customise.
Read our Privacy Policy.