Publicado em 21 de janeiro de 2022
The General Data Protection Law (LGPD) emerged as a historic landmark for Brazilian society. Sanctioned by the Federal Government in 2018, it establishes a series of rules regarding the corporate use of personal data. With the arrival of 2020, the year in which the LGPD definitively enters into force, companies must ensure that they are in line with the new guidelines.
It is, however, natural that many questions will arise when dealing with this topic. After all, what does the LGPD say? What are the main changes regarding the use of data from customers and users in general? What is the impact of this on the market? What are the points that should get the most attention? With all this in mind, we created this article to try and clarify any questions you may have on this matter. Check it out!
Inspired by the General Data Protection Regulation (GDPR) – the European law that regulates this area-, the LGPD (Law 13.709 of 2018) holds as its main guiding principle, the determination that the collection and storage of data can only be done with the consent of the holder. This applies to both public and private institutions.
In this sense, the organization must establish what the purposes of that process will be, that is, for what it will use the information it is collecting and/or storing. If the data is related to a minor, it is necessary to request the consent of the parents or legal guardians.
If there is any change in these processes, it is necessary to get in touch once more with the user, so that the person agrees with the new conditions of the use of their data. As a result, the way companies and other organizations handle information from their customers — and even their employees — tends to change radically.
With this in mind, when sanctioning the LGPD in 2018, the government defined that it would come into force in August 2020, so that institutions would have time to become aware of and adapt to the new rules. With the deadline coming to an end then, it is time to clarify any and all questions one may have about the law.
It must be held in mind that the main objective of the LGPD is to protect the population’s personal data against possible misuse. With the growing digitization of public and private activities, the perception emerged that the exposure of information has become greater and, consequently, requires more detailed measures to preserve individual rights.
As such, some characteristics of the LGPD were designed to meet these demands. To begin with, the LGPD established the creation of the National Data Protection Authority (ANPD), an entity responsible for monitoring, inspection and also possible application of fines — something that we will detail later.
Each company in turn, must nominate a “manager” or “controller” to handle this matter internally. Roughly speaking, it is this manager’s responsibility to know the legislation and ensure compliance with the rules. They must also be the point of contact for ANPD and the holders of the data that the company stores.
One of the controller’s duties is to provide assistance to customers who bring a complaint to the company. They must register these cases and provide clarifications when required. They must also dialogue with ANPD, adopt measures to adapt to the rules, guide the company’s employees, as well as other functions.
An important point of this work is the company’s communication strategy. Centralizing communication channels in a multichannel system, for example, tends to improve and optimize the dialogue with customers. It is worth noting that, communication is precisely the area that must follow these rules to the letter.
With the LGPD in place, the company must reassess its processes and define what data it really needs in order to offer its products and services. After all, even though this data is an essential basis for decision making, its collection must be controlled, that is, it cannot include new information without a real need and, of course, the holder’s consent.
As we mentioned, every change in the process requires new consent. This means that, as determined by the LGPD, the company must have full control over the data lifecycle — from its
collection, through to its use and eventual disposal. And of course, the holder must be aware of all of this.
Being caught in violation of the law can bring huge losses to the company, particularly from a financial point of view. If an irregularity is identified by ANPD, which will function as an autonomous arm of the Ministry of Justice, the institution may be fined up to 2% of its annual revenue, with a limit of R$50 million for each infraction.
In more specific cases, the fine can be applied daily until the company solves the problem in accordance with ANPD’s guidelines. It is worth noting that the law states that any leak identified must be immediately reported to the national authority.
The first major impact on companies is the need to prepare and apply an efficient information security policy. All professionals must be trained to handle personal data in accordance with the new determinations. In addition, the policy should include an incident response plan to deal with potential leaks.
The objective is not only to guarantee the security of this information, but also to prepare the company to deal with unforeseen events. After all, a fine of these proportions is extremely harmful, whether it is caused by human error, mischance or a cyberattack.
Another relevant point that every company must assimilate is, that employee data must also be part of this information management. Therefore, an interesting strategy is the formation of a committee of people to create strategies that align the organization’s particularities with the demands of the LGPD.
Finally, it is worth highlighting the importance of having experts on the subject to give your company the proper support. Often, the lack of a qualified professional to deal with this can have negative side effects. For example, you could forget some detail of the law, or perhaps bring measures that will over compensate and thus damage the efficiency of any data being held.
It is worth consulting with the right professional to ensure that everything will run smoothly. The LGPD isn’t the boogyman, but it does require care so as not to leave any loose ends, especially in environments with a large number of departments and that use large volumes of data.
As you can see, it is important to give the matter due attention. With the LGPD coming into effect, information security becomes an even more strategic issue for companies. So, analyze your processes, identify the actions to be taken and start implementing the adjustments right now.
If you liked the post, leave your comment and let us know how you are preparing to deal with these changes!