You can't be too careful when it comes to your reputation and finances. Although this warning and guidance is useful for many situations, it is accurate when it comes to adapting to the LGPD .
Eventually, the verbs adapt and protect do not always go together when it comes to the General Personal Data Protection Law ( LGPD ).
Since it establishes legal regulations, all Brazilian companies and organizations must adapt to and follow the LGPD and guarantee control and transparency in the use of citizens' personal data.
However, after almost a year of being in force, there are still doubts about how to effectively guarantee compliance with the LGPD .
Consequently, also, on the protection of companies and organizations against punishments (fines and other administrative sanctions) resulting from infractions or non-compliance with the LGPD.
What is the LGPD
The General Personal Data Protection Law (LGPD) is legislation that aims to protect the freedom and privacy of consumers and citizens.
Although it was published on August 14, 2018 (Ordinary Federal Law No. 13,709), which came into force on December 28 of the same year, the full effect of the LGPD only took place on August 1, 2021.
In practice, the LGPD demands changes in the way people's data is collected, stored and used. As a result, it significantly impacts the administrative, legal, communication and marketing areas and, mainly, information security technology .
Eventually, by failing to comply with what is determined by the LGPD, companies and organizations (including public and governmental ones) may be fined or receive administrative sanctions .
As stipulated in the LGPD, punishments can range from a simple fine of up to 2% of the company's revenue in its last year (limited to R$50 million, per infraction), to the daily application of a fine (observing the total limit of simple fine).
Certainly, this last paragraph clearly explains the idea of the first sentence of this article. After all, in addition to being able to lead to serious financial difficulties , it can compromise and destroy a good reputation .
Not complying with the LGPD can be costly
Almost three years after it was created, on August 1, 2021, the National Data Protection Authority (ANPD) is authorized to apply the penalties provided for in the LGPD.
According to an article on the G1 portal ( Failing to comply with the General Data Protection Law can lead to punishments starting this Sunday , by Alessandro Feitosa Jr.), the ANPD must begin the inspection process in an educational manner .
According to a resolution from the National Data Protection Authority, the guidance is to start in a gentle and scalable way. That is, warn to educate. Of course, depending on the severity of the case.
However, non-compliance with LGPD standards may be penalized with :
- warning,
- publicity of the infraction, which works as a way of alerting society that a certain company has violated the rules,
- simple fine, of up to 2% of the company's revenue and which can reach a maximum of R$50 million per infraction,
- daily fine,
- blocking of personal data relating to the infringement,
- deletion of personal data relating to the infringement,
- suspension of the exercise of the processing activity of personal data relating to the infringement for a maximum period of 6 months, which may be extended for another 6 months,
- partial or total prohibition of carrying out activities related to data processing.
Watch the video above and get a good overview of the subject and see how important it is to comply with the LGPD.
In this video, the doctor and master in law from the State University of Rio de Janeiro (UERJ), Igor Pereira discusses the General Data Protection Law (LGPD) in practice .
According to him, the LGPD is a digital framework that regulates how companies and organizations collect, use and, now, must protect personal data and information.
Mainly, Dr. Igor Pereira highlights that, to adapt to the LGPD, among the changes imposed by the new law, companies and organizations must pay attention to three aspects:
- the user's right to request that their data be deleted;
- explicit consent to the use of their data for marketing purposes must be obtained in advance by companies ;
- there will be fines imposed on companies that fail to comply with the LGPD.
Adapting to the LGPD: a major compliance challenge
The LGPD says a lot about the maturity of companies. In fact, it separates companies that have an effective compliance policy from those that don't have one or don't even know what it is.
Compliance is an English term derived from the verb ( to comply ) which means to be in agreement with standards, resolutions, legislation and/or a set of established and agreed rules.
Much more than just “being”, compliance has to do with acting in accordance with the provisions of the General Personal Data Protection Law (LGPD).
Above all, what matters and what protects is practice . Above all, doing what really needs to be done is the best way to truly adapt to the LGPD and what exponentially increases the level of security and protection.
In this sense, from the point of view of Corporate Governance, companies that have truly adapted and comply with agreements and legislation, for example, are well regarded and have a better reputation.
Certainly, an achievement and an unequivocal demonstration of strategic intelligence , which paves the way towards competitive advantages and excellence in management.
After all, the level of maturity, culture and internal policies are reflections of the quality of administration .
LGPD: adequacy versus protection!?!
The General Personal Data Protection Law has a focus and approach specifically aimed at protecting personal data . That is, it exclusively protects against the processing of information related to people .
Therefore, two considerations are obvious. Since, from them, it is possible to clearly understand the difference between adequacy and protection in relation to the LGPD .
Firstly, in accordance with the name of the General Personal Data Protection Law. In other words, the focus is on the individual, on the human person. Therefore, companies and other private entities are excluded from the “protection” of the LGPD.
Secondly, the effectiveness of protecting personal data is only achieved through information security . Both by digital and analogue means, in the case of physical files, for example.
relevance of information security technologies for the effective protection of data and personal information that companies and organizations need to make available to their customers and users is evident
How to adapt to the LGPD
Probably, adapting to the LGPD will require some investment . To a greater or lesser extent, companies and organizations must be able to standardize the collection of data from their customers and users and, mainly, increase the effectiveness of information security technologies.
According to an article published on the lumiun blog at the beginning of this year, by Aléx Oliveira, to comply with the LGPD it is necessary to comply with the new legislation .
See below the 15 tips for adapting to the LGPD and complying with the new legislation .
- Define a process for obtaining consent for the processing of personal data.
- Implement a data subject rights management solution
- Develop a data retention and disposal policy
- Create and maintain a personal data processing operations
- Implement a solution for Data Protection Impact Analysis (DPIA) .
- DPO (Data Protection Officer) governance model .
- Hire an external advisor .
- Educate employees through a privacy training program .
- Install solutions for identity and access management .
- Structure, define and formalize an incident management process .
- Review old contracts and update them with protective clauses.
- Include protective clauses in new contracts.
- Develop and maintain internal and external privacy policies .
- Implement a solution to increase internet and information security.
- Define a process for LGPD regulatory changes
Click here and read the full article.
Complying with the LGPD must mean effective protection
The search for effective protection that adapting to the LGPD must provide, without a doubt, requires quality and reliability in internet and information security solutions and technologies .
In fact, the trend is that the technologies in which companies and organizations must invest to guarantee the effectiveness of protection when adapting to the LGPD include solutions such as VPN and firewall .
Finally, it is worth remembering that, to adapt to the LGPD, it is essential that managers seek knowledge and to implement good management practices in information security and invest in effective internet security solutions in their companies and organizations.