The General Data Protection Law (LGPD) was approved in 2018 and sanctioned in September 2020.
Companies that do not implement the LGPD by the beginning of the second half of 2021 will be subject to the sanctions provided for in the law.
Never before in history have we had such capacity to capture, store, and process data. This has allowed businesses of all segments and sizes to have access to high-precision management tools.
In the coming years, with the development of Artificial Intelligence and the Internet of Things, this scenario is only expected to deepen.
However, scandals about the use of personal data by some technology giants point to the need for greater transparency and regulation in their use.
Consequently, we have seen that legislation on this specific topic is emerging worldwide.
The Brazilian LGPD was inspired by the European Union’s legislation on the subject – the main reference in current data protection laws – and complements our important Internet Civil Framework, which among other advances guaranteed network neutrality in our territory.
General Data Protection Law: Which Companies Need to Comply?
The first aspect to understand about the General Data Protection Law is which companies need to comply with the law and implement it.
The answer is: all those that perform any data processing, regardless of size or area of activity.
To make it clearer:
If in your business you use a CRM system where you register your customers, storing and using this data for later actions, you are already within the scope of the law.
That is, you should seek to understand its operation to avoid suffering from the sanctions provided for those who do not comply with the LGPD.
For organizations that already have well-structured information technology departments and qualified professionals in information security management, adaptation will likely be simple and not very laborious.
However, it is worth remembering that today many smaller companies and liberal professionals already use personal data in their daily lives without paying attention to the issue of security.
In many cases, this occurs due to ignorance or lack of understanding of the importance of these measures.
Therefore, for the LGPD to take hold in Brazil, information is essential.
Learn about the main rules of the new General Data Protection Law below.
Above all, so that you can successfully implement it in your company!
Understanding the Main LGPD Rules
1- Purpose and consent
One of the main objectives sought with the General Data Protection Law is to ensure greater transparency in the use of personal data by organizations, whether private or public.
In this way, the Principle of Purpose is the first rule of the legislation.
The rule states that data subjects must always be informed for what purpose their information will be used. This informed purpose cannot be changed.
Thus, data collection must meet ten requirements for data capture and processing. Among them is the consent to use.
If the organization intends to change the purpose of data use, it must inform and request new consent from the data subjects.
2- Sensitive Personal Data
Personal data is understood as those that identify a natural person. Such as:
- name,
- CPF (Brazilian Social Security Number),
- age,
- gender,
- health condition,
- among others.
The LGPD, however, also brings the concept of sensitive personal data.
Sensitive personal data are those such as:
- Political affiliation;
- Religious belief;
- Race;
- Sexual orientation;
- Health data;
- Biometric data.
This type of information is treated with greater rigor by the law.
And, for its use and processing, it is necessary to comply with a series of obligations that are more extensive compared to common data.
For example, drafting regulations and prohibiting the exit of data for processing.
The General Data Protection Law also includes rules for the disposal of this data after processing.
Finally, it is only possible for organizations to use the sensitive data necessary for a specific purpose.
3- Controller, officer, and operator
The General Data Protection Law establishes three new figures:
- Data controller;
- Data officer;
- Data operator.
3.1- Data controller: is responsible for the use of data in the institution, controlling the way they are used.
3.2- Data officer: is responsible for communication with the data subject. This figure must have the data use record and pass on the information when requested.
3.3- Data operator: is responsible for effectively processing the data.
These figures are essential in the implementation of the LGPD. Therefore, they must operate the bureaucratic aspects provided for in the law.
For example:
- establish the process for attending to data subjects,
- privacy risk matrix,
- establish a privacy incident contingency plan,
- among others.
The legislation also establishes the National Data Protection Agency (ANPD), responsible for overseeing the application of the law and imposing sanctions.
4- Security, confidentiality, and governance
According to the new data law, the ANPD is responsible for establishing the minimum levels of security and confidentiality that must be met by private companies and public agencies.
It is worth remembering that the LGPD already expressly prohibits the transfer and sale of data.
Those who do not comply with the required security levels will be subject to a fine that can reach 2% of the company’s revenue. The amount will be limited to R$ 50 million.
In addition to the fine, the law provides for a series of hypotheses of liability when the data is not adequately protected.
To avoid risks, it is important to invest in information security measures and practices.
5- Privacy by Design
Another rule that deserves attention is the one that establishes Privacy by Design.
This requires that every online or offline product that involves personal and sensitive data use the privacy methodology from its conception.
The LGPD establishes a series of steps and documents to guide the planning of your product or service. As well as monitoring its execution while it is made available.
Privacy must guide all internal projects. And when solutions are delivered to the market, they must also contain privacy settings to offer the best security to users.
Step by Step LGPD: adapting your company to the General Data Protection Law
With these five basic rules in mind, it is possible to start the implementation of the LGPD in your organization.
For this, you can follow a simple but effective step-by-step process. Check it out!
Scenario Analysis
The starting point could not be other than the analysis of the scenario of your company.
There are organizations that need to do little to be in compliance with the new law. On the other hand, some companies have a lot of work ahead.
In which of these scenarios your company fits is a question that can only be answered after a careful analysis of data.
In addition, it is essential to analyze the information technology used in your business.
At this time, having a digital expert makes all the difference. This professional will be able to make an assertive mapping of your business to guide the adaptation actions.
Definition of the data operator
It is possible that your company has more than one data operator.
A cloud storage service, for example, fits into this category, as does a hired data scientist.
It is very important to reinforce that data operators must also obey the legislation. And, they can be held legally responsible. Whether jointly or even fully if they process data illegally without a direct order from the controller.
Always look for reputable professionals and companies and avoid headaches and losses.
Information security plan
After understanding the scenario of your company and defining the data operators, it is time to establish a data privacy program.
In this program, technical and administrative measures must be included to ensure information security, avoiding penalties provided for in the law.
Privacy governance program
Finally, your company must establish a privacy governance program, where it will define good practices in the use of personal data.
At this time, they must be defined:
- procedures,
- operating regime,
- security standards,
- technical standards,
- educational actions
- and control and monitoring bodies.
The governance program is the brain and heart of LGPD compliance.
It is he who will define the practices to ensure that all processing of personal data is in accordance with the legal bases.
Don’t wait! Start implementing the LGPD in your company today!
The General Data Protection Law is an advancement in terms of transparency in the use of data.
Above all, with respect for users’ privacy, it is essential that everyone embraces the new legislation and ensures its compliance.
Therefore, it is very important to emphasize that companies have until the beginning of the second half of 2021 to comply with the legislation.
Those who do not implement the LGPD by the deadline will be subject to heavy fines and sanctions.
Don’t take risks! Start now to take the measures that allow your business to organize itself to comply with the General Data Protection Law.
To learn more about information security and ways to protect your business from cyberattacks, follow our pages on social networks and keep following our blog!
See you next time!
