The LGPD – General Data Protection Law – was sanctioned in 2018 and came into effect in September 2020.
The new legislation placed Brazil among the countries that have specific laws forr the protection of personal data.
For digital media users and consumers, the new law means greater protection of privacy and security in the use of their data. For companies, the LGPD means the adoption of new processes that ensure this objective.
LGPD and New Consumption Habits
Today we not only produce and consume information as never before in history.
But we also have a huge capacity to analyze and process this information in order to achieve different objectives, such as carrying out marketing actions more effectively, making better decisions, among others.
However, recent scandals involving the use of personal data, which involved technology giants, question the way this information is used.
In other words, today we know that there is a lack of transparency in these processes, and the need to regulate them to protect individuals’ privacy.
What is the LGPD, the General Data Protection Law?
Brazil had already taken an important step to adapt to the new reality of the digital world with the approval of the Internet Civil Framework, legislation that mainly focuses on creating mechanisms aimed at protecting the user of the global computer network.
The LGPD is another step in this process. Inspired by the General Data Protection Regulation, the European Union’s data protection law.
The law served as a model for our country as well as for other locations around the globe – currently, there are 120 countries with legislation that regulates the use of personal data.
The LGPD guarantees protection to citizens
Users and consumers know little about what is done with their personal information.
Information collected by companies from all sectors. In other words, not only technology companies, in the most different ways.
There is even a lucrative parallel market for the sale of personal data.
Thus, the General Data Protection Law arrives with the objective of regulating this use. Above all, guaranteeing greater protection and security to the privacy of citizens.
The law comes into force to create devices and processes that must be adopted by organizations. And, heavy sanctions are foreseen for those who do not comply with the standard.
Which companies need to comply with the LGPD?
The collection, storage, and processing of data are not exclusive to technology companies. Nor to large companies.
Today, even small businesses use this practice to leverage their results and gain efficiency.
Therefore, all companies that process data of Brazilian citizens or that were collected in Brazil must comply with the new legislation.
In other words, regardless of their size, sector of activity, and geographical location.
We know that for many entrepreneurs, especially small and medium-sized ones, this scenario presents itself as a great challenge, especially due to the lack of clarity regarding the legislation and its technical aspects.
However, it is important to emphasize that it is necessary to overcome these difficulties.
Above all, because as of August 2021, punishments will begin to be applied to legal entities that do not operate in accordance with the general data protection law.
If you don’t even know where to start adapting your business, stay with us and we’ll help you with that.
LGPD step by step: how to comply with the general data protection law
Understanding concepts
The first thing to be done in a process of adapting to the LGPD is to understand the basic concepts that are present in the legislation.
This understanding is important so that you have greater clarity about the law.
1- Personal data
It is common to believe that personal data are those such as name, RG, CPF, for example.
The LGPD standard, however, is based on a broader concept.
Understanding personal data as all that which, alone or in conjunction with others, can identify a person or subject a person to certain behavior.
Today we have a range of personal data formats that can be collected from different sources.
A cookie generated when accessing a website, for example, is considered personal data, as it can be used in marketing actions.
A cookie does not inform who the person is. But, it allows a company to infer behavior profiles. And so, direct your advertising so that these are more effective and capable of impacting the user.
2- Sensitive personal data
The LGPD standard also introduces the concept of sensitive personal data.
Which are those about:
- ethnic origin,
- religious belief,
- political opinion,
- affiliation to a union or religious institution,
- philosophical or political,
- data referring to health,
- sexual life,
- genetic or biometric.
3- Data processing
Processing is any operation carried out with data, from collection to disposal.
The general data protection law defines standards for any action of this type:
- collection, classification,
- use,
- sharing,
- storage,
- processing, etc.
4- Controller, Operator, and Regulator
The LGPD standard establishes three new figures:
- the controller,
- operator
- and the regulator.
4.1- The controller
The Controller is the company that makes the decisions about personal data.
It defines when and how the data formats will be collected; what uses they will be intended for. In addition to where they will be stored, when they will be discarded, etc.
The controller can himself carry out the data processing, as he can hire a third party for this, the operator.
4.2- Operator
The Operator appears as the figure responsible for processing the data.
But, it does not have the power of decision over them, and must always obey the controller’s orders when these are in accordance with the legislation.
It is worth reinforcing that the operator who carries out an illegal action at the controller’s command, responds jointly in court.
4.3- Officer
The Officer is the person appointed by the controller to act in communication between:
- controller;
- data subjects;
- and the National Data Protection Authority.
5- Legal bases
The legal bases are the hypotheses provided for in the LGPD standard that authorize the processing of personal data.
Today there are 10 legal bases in the legislation:
- Consent;
- Legitimate Interest;
- Contracts;
- Legal obligation;
- Execution of public policies;
- Studies by research bodies;
- Judicial process;
- Protection of life;
- Health care;
- Credit protection.
- Complying with the LGPD
Now that you already know the main basic concepts of the standard, we will show you how you can act to implement the necessary processes to adapt your company.
Scenario Analysis
The starting point could not be other than the analysis of the scenario of your company.
There are organizations that need to do little to be in compliance with the new law, while others have a lot of work ahead.
In which of these scenarios does your company fit is a question that needs to be answered.
But, after a careful analysis of how data and information technology are used in your business.
At this time, having a digital expert makes all the difference. This professional will be able to make an assertive mapping of your business to guide the adaptation actions.
Definition of Data Operator
It is possible that your company has more than one data operator.
A cloud storage service, for example, fits into this category, as does a hired data scientist.
It is very important to reinforce that data operators must also obey the legislation.
They respond judicially, either jointly or even fully.
That is, if you carry out the processing of data illegally without a direct order from the controller.
Therefore, always look for reputable professionals and companies and avoid headaches and losses.
Information Security Plan
After understanding the scenario of your company and defining the data operators, it is time to establish a data privacy program.
In this program, technical and administrative measures must be included to ensure information security, avoiding penalties provided for in the law.
Privacy Governance Program
In conclusion, your company must establish a privacy governance program.
That is, define good practices in the use of personal data.
At this time, they must be defined:
- procedures,
- operating regime,
- security standards,
- technical standards,
- educational actions
- and control and monitoring bodies.
The privacy governance program is the brain and heart of LGPD compliance.
Above all, it is he who will define the practices to ensure that all processing of personal data is in accordance with the legal bases.
Conclusion
The General Data Protection Law is an important achievement for Brazilian citizens.
In short, at this moment when the power of the use of personal data and its social impacts become increasingly evident.
It is essential that companies do not see the LGPD as just another bureaucracy.
But, as a necessity of the modern world that benefits everyone.
Guaranteeing, for example, greater security and transparency in the use of information that we provide and even generate.
From the second half of 2021, legal sanctions for organizations that fail to comply with the legislation will begin to be applied.
Therefore, if you have not yet started to comply with the LGPD, do not waste any more time!
Ensure agile work in accordance with the law. Count on the service of professionals specialized in information security.
STW Brasil is ready to assist you and ensure that your business is in compliance with the LGPD.
See you next time!
