LGPD: The importance of data security for your company
The General Personal Data Protection Law (LGPD) was sanctioned in 2018 in Brazil and came into force in September 2020, meeting the 18-month period for companies to adapt to the new rules. The LGPD is regulated by the National Data Protection Authority (ANPD), which released in January 2021 the biannual regulatory agenda with priority items in this first phase of the Law's application.
From August 1, 2021, the sanctions provided by LGPD began applying, and companies that don't follow the Law's rules may be fined up to R$50 million.
Knowing that it is difficult, but extremely important, INDICO will explain what the LGPD is and why your company and consumers should be aware of it.
What is the LGPD and where did it come from?
First, we need to understand that LGPD is a law aimed at any activity that involves the collection and sharing of personal data in order to protect individuals and companies and their fundamental rights of freedom and privacy.
The LGPD provides conduct and changes for organisations to establish clear rules about the collection, storage, processing and sharing of personal data, so that this process has greater protection and security. If the Law is not complied with, the organization is subject to significant penalties.
The Law defines "personal data" as "information relating to an identified or recognizable individual", and requires companies and organizations to clarify the need for the collection of such data, provided only after the consent of the data subject (art. 8)
This requirement is included in the list of the 10 basic principles for data collection, among which are the principles of purpose, suitability, necessity and transparency.
Altogether, the Law specifies four different players in this process:
- Data Subject: owner of the data and responsible for consenting to the provision of their personal information.
- Controller: a company or individual who collects personal data and is responsible for making decisions about the purpose of the data processing and what will be done with it.
- Operator: a company or individual that carries out the personal data processing following orders from the controller.
- Officer: a person appointed by the controller and operator to act as a communication channel between the controller, the data subjects and the National Data Protection Authority.
Despite the promising scenario in data protection in Brazil - a country that constantly suffers from mega data leaks, the LGPD comes late, and it is based on a strict European Union regulation that has been discussed since 2012 and became the General Data Protection Regulation or GDPR.
The GDPR, approved in 2016, is the official data protection regulation of the European Union that is treated as a reference for several countries that adopt this type of legislation or improve existing ones.
Discussion of this law, starting in 2012, was motivated by the Data Protection Directive, a regulation that dated back to the 1990s and didn't match the technological scenario in which the world was entering.
It is also important to note that the European Union considers data protection a fundamental right of its citizens, which also fueled the discussion and structuring of the regulation.
In the context of widespread use of social networks and other online channels, the GDPR raised ethical questions about the use of user data, requiring companies to be transparent and responsible with the collection and analysis of customer data.
GDPR X LGPD
GDPR and LGPD have some similarities, such as: user's permission to the use their personal data, determination of legal bases for data processing and the user's right to access their information that is used by the company.
However, we can also point out some differences between the two legislations:
- GDPR allows users to object at any time to the use of their data for marketing purposes; whereas LGPD does not directly address the use of data for such purposes.
- GDPR fines range from 2% to 4% of a company's turnover, while LGPD fines are limited to 2%.
- GDPR requires that users be notified of problems with data leaks within 3 days, LGPD does not specify a specific time for notification of such incidents.
What changes with LGPD?
With the new law, companies must adapt different procedures in data collection and processing. In addition, the legislation offers more legal security for users and for those who are collecting the data.
The LGPD brings more control over what information is being collected and what the purpose of this collection is, making clear to users whatever will be done with the information they provide.
One of the mechanisms of the law is the consent of users when providing some personal data. This is why many websites today create specific pop-ups about cookie policies, used to send companies some kind of user behavior on the internet.
Now, users also have the right to request clarifications about their information, what data a company has about them and even to ask for it to be deleted. These and other demands are part of the work of the National Data Protection Authority (ANPD), the federal agency responsible for overseeing and editing the LGPD guidelines.
Who needs to adapt to LGPD?
All organizations, based in Brazil or abroad, with or without operations in the country, that work with the collection and processing of data of Brazilian citizens in the national territory. Companies such as Amazon, Netflix, Google must follow the LGPD even if they collect data from Brazilians here and manage it in other countries.
Companies headquartered outside Brazil and working with international partnerships may transfer the data collected abroad, provided that the destination country also has comprehensive laws on processing personal information or ensures user protection mechanisms similar to the Brazilian legislation.
How should companies comply with LGPD?
Many companies are not prepared to deal with this new phase of the data era and comply with LGPD, because they are focused solely on their core business, on how to work their brands and achieve the individual goals of each organization.
Complying with LGPD is a complex and ongoing process, but there are some steps that all companies must take to comply with the law. The first is to know it well, as its guidelines will guide all new data-related processes and must be fully adopted.
Setting up an internal committee responsible for monitoring and analyzing data security within the company is also extremely important for professionals from different areas to monitor and supervise the company's performance under the LGPD rules. In addition, it is necessary to understand how the company handles its data at the current moment and identify possible threats so that processes and systems are structured in a solid and safe way.
Finally, the most important point is to adopt data security as one of the pillars of the company, because this is the only way to follow the LGPD responsibly and ethically.