Two recently passed data privacy laws impact the selection of Data Protection Officers, but provide varying degrees of specificity on the subject: the Chinese Personal Information Protection Law (PIPL) and the Brazilian General Data Protection Law (LGPD). Since both laws share similarities with the EU General Data Protection Regulation, and I was already looking into the LGPD, I decided to compare the requirements for Data Protection Officers from all three at once.
As a reminder, a DPO is an individual who is responsible for privacy compliance and for interfacing with data subjects on behalf of an organization, as required by privacy laws in countries and states where the organization does business.
Who needs a DPO?
The PIPL would require a DPO for any organization processing personal information in China or from Chinese people, with more than 200 employees, whose main business involves processing personal information, or that processes the personal information of over 500,000 people or expects to do so in the next year.
The LGPD is even less prescriptive (and this will be a theme as we go on)—it requires any data controller processing personal data to have a DPO.
The GDPR requires a DPO for public authorities processing personal information of EU data subjects, any organization whose core activity is processing personal information and regularly observes its data subjects, or any organization whose core activity is processing special data categories on a large scale.
Who can be a DPO?
The PIPL doesn’t specify whether a DPO can be contracted, but it does require it to be someone within the organization and located in China.
The Brazilian Supervisory Authority, the ANPD, has provided guidance saying that a DPO can be outsourced to an external party or someone outside of the country via contract since the LGPD doesn’t lay out any specifications. It’s recommended that the qualifications include someone who is capable of completing the required DPO activities.
The GDPR also allows a DPO to be a contractor or located outside of the EU. It also provides qualifications like previous experience engaging new laws, auditing information systems, managing multiple projects, and with knowledge of IT programming or infrastructure.
Key Differences
The DPO activities in the LGPD are the most like those of GDPR: receiving complaints from data subjects; communicating with the DPA; and providing training on personal data protection. However, PIPL data protection activities also include maintaining the privacy policy, a list of personal information, and personal information security.
Since only data controllers are subject to LGPD’s DPO requirement, companies processing data on behalf of other organizations are exempt.
One area where GDPR stands out from LGPD and PIPL is in guaranteeing that the DPO won’t be held responsible for the organization’s noncompliance. Neither the LGPD nor the PIPL say this explicitly.
GDPR, while being the most prescriptive, may also be the easiest to follow because the expectations are fully laid out. PIPL appears to place many expectations on the DPO. LGPD may be the most difficult to follow because it leaves so much to interpretation or follow-up from the ANPD.