I consider respect for privacy as the main objective of personal data protection rules.
This is because privacy is the basis on which the individual freely forms and exercises his/her personality. Privacy is the intimate domain of your physical, mental, emotional and spiritual condition. It concerns only you, with exceptions. And so is the law.
The letter “e-” precedes each day more substantives, a consequence of entrepreneurship. I also recognize the growing importance of the processing of personal data for the full exercise of economic freedom. And so does the law.
In this sense, I interpret the processing of personal data as a lawful but risky activity. From this follows consequent management, to all effects. Here too, reckless, negligent or omissive management causes serious financial, reputational and regulatory consequences. And so prescribes the law.
The proposed solution to the imminent risk of data breach is to map it and rigorously enforce the standard. Compliance security effectively reduces risk. It is a daily, continuous and persistent activity. It is feasible and it has benefits.
Even in case of failure, the foregoing compliance is a precedent of good faith and of necessary acknowledgement by the supervisory authority and the judge.
The data protection officer (DPO) is part of this context. Its knowledge of the company’s lawful treatment processes, combined with the technical and precise application of the standard, reduces costs and enables new processes.
The DPO is responsible for maintaining and improving personal data protection measures, in a free and independent manner, in the interest of the law, the data subjects and the licit activity at risk.
The DPO is also responsible for the analysis and framework of new data processing activities in accordance with regulations, for the management of data protection processes and for interfacing with data subjects, supervisory authorities and senior management.
Its activity is expressly foreseen and recognized in the data protection regulation of the European Union (GDPR) and in the Brazilian law (LGPD). More than a function, it is a role and a service.
The European norm requires the appointment of a person in charge or such service in three cases: a) in public authorities b) in companies whose object consists of regular or systematic monitoring of data subjects on a large scale, or c) in companies that deal on a large scale with special categories of personal data, such as data indicating membership of an ethnic, religious, political, union group, or health, medical and sexual data, for example.
Brazilian law has not ruled on the mandatory hypotheses for the exercise of the data protection officer, but it expressly recognizes his service and does not leave it aside.
Its mention in the law is already a clear indication that it will be valued by the data protection authority and the courts, especially if in the full exercise of its capacity to conform treatments to the standard.
Relying on the service of a data protection officer, apart from its intrinsic technical benefit, will be regarded as a certificate of security, reliability, quality and respect for the individuals whose personal data is being processed.
We are at your disposal for further information about this service and about data protection solutions at Thomas.prete@outlook.com.