Technology entrepreneurs are already familiar with topics related to user privacy
This is because the use of user and customer data on the internet generates heated debates in the technological universe.
For many, the limits are not yet well defined.
With the introduction of the General Personal Data Protection Law (LGPD) , the scenario changes.
There is no more room for uncertainty.
Companies that have customer and user banks need to understand what the law is about, in order to avoid becoming illegal !
If you are a businessman who works in the technology sector or who is not sure what the law is about, stay tuned below.
Privacy in the eyes of Europeans
Recently, the misuse of personal data in several leaks – including, with influence on the 2016 American elections – motivated the European Union parliament to develop specific legislation on the subject.
Thus, in 2018, the GDPR – General Data Protection Regulation was .
The regulation regulates the way data from European Union residents must be processed and influences companies around the world , as the internet allows European citizens to contact foreign websites and vice versa.
In short, European law protects citizens from the misuse and commercialization of their personal information.
It is important to emphasize that the Brazilian LGPD was strongly influenced by the regulations put into force in the old world.
But, after all, what does the General Personal Data Protection Law say?
The General Data Protection Law
Law 13,709/2018 , better known as the General Data Protection Law, was created in the global context of the discussion on privacy and aims to protect clients, users and consumers from the misuse of their personal data by companies.
Despite being approved in 2018, the law gave two years for adjustments.
The deadline for the General Data Protection Law (LGPD) to come into effect was postponed to January 1, 2021 due to the pandemic.
First of all, it is important to highlight that Brazilian law regulates any and all sensitive customer information, whether stored in physical or digital media .
Therefore, all companies must adapt to the legislation , including those that are not in the information technology sector!
The main foundations of the LGPD are as follows:
-
Respect for privacy
-
Informational self-determination
-
Inviolability of intimacy […]
-
Free enterprise, free competition and consumer protection and
-
Human rights, the free development of personality, dignity and the exercise of citizenship by natural persons.
As can be seen from reading, the main focus of the law is to protect citizens.
Exactly because of the legal focus, it is necessary for companies to understand the LGPD.
Failure to comply with its rules results in severe punishments, as will be seen below.
With all factors taken into consideration, who are the main people affected by the General Personal Data Protection Law?
The subjects of the General Law
The LGPD lists four subjects in sensitive data processing operations:
- Holder is the person whose data is intended to be protected
- Controller is the natural or legal person, under public or private law, who decides what will be done with personal data
- Operator is the natural or legal person, under public or private law, indicated by the controller who effectively processes personal data
- person in charge is the person appointed by the controller and operator to act as a communication channel between all parties, including the regulatory and supervisory authority.
If your company has a personal database of customers, it certainly fits into one or more of the hypotheses above and could be held responsible for breaking the Law.
Another important point is that individuals are also affected by legal rigor if they have personal information about their customers.
It is therefore difficult to imagine a company that is not under the scrutiny of the new legislation.
But, after all, what is the General Personal Data Protection Law about?
Main points of the LGPD
The General Personal Data Protection Law has principles that are important for companies to know:
Goal
Personal data must be used for the purpose for which it was intended and communicated to the holder. Any deviation from this use, including commercialization by third parties, is a flagrant disregard for the LGPD.
Adequacy
In addition to respecting the purpose for which the data is intended, the company must ensure that the use is appropriate to the context , that is: that the data processing is contextualized and makes sense with its initial purpose.
Need
The law provides for the limitation of data processing to the minimum necessary to achieve its purposes .
Free access
Holders must be guaranteed easy and free consultation on the form and duration of information processing, as well as the completeness of their personal data.
Data quality
Personal data must be accurate, clear, relevant and updated in relation to the purpose for which it was collected.
Transparency
The content of the stored data must be transparent, that is, the holder must have easy access to their information.
Security
The company must protect personal data from unauthorized access and accidental or illicit situations of destruction, loss, alteration, communication or dissemination.
Prevention
The data controller must adopt measures to prevent damage resulting from the processing of personal data.
Non-discrimination
The data may not be used for unlawful or abusive discriminatory purposes.
Accountability and accountability
The agent must adopt effective measures capable of proving compliance with the rules.
What happens if the company breaks the law? Let's see next.
What happens if the company violates the Law
The Law provides for serious sanctions in case of non-compliance:
- Warning , indicating a deadline for adopting corrective measures
- Simple fine , of up to 2% (two percent) of revenue limited, in total, to R$50,000,000.00 (fifty million reais) per infraction
- Daily fine for non-compliance
- Publication of the infraction
- Blocking of personal data until regularization
- Deletion of personal data to which the infringement relates
- Partial suspension of database operation for a maximum period of 6 (six) months, extendable for the same period
- Suspension of the exercise of personal data processing activities for a maximum period of 6 (six) months, extendable for the same period
- Partial or total prohibition on carrying out activities related to data processing
The General Personal Data Protection Law is extremely strict, which brings us back to the question at the beginning:
After all, should my company worry about the LGPD?
Yes!
Currently, practically all companies have databases about their customers and are therefore affected by the LGPD.
Anyone who does not comply is subject to the rigor of the law, which can mean anything from a million-dollar fine to a ban on carrying out activities , depending on the case and sector.
Make no mistake about the possible lack of supervision.
The trend is a continuous increase in the protection of consumers' right to privacy.
Don't wait until you receive a legal notice or a fine!
The Lumiun Tecnologia has professionals specialized in the subject.
Stay informed on the subject
See our other article with 14 tips for complying with the LGPD .
If you are interested in finding out more about this and other topics in the technological universe, subscribe to our Information Security Week to receive weekly selective content on the subject.
Also continue visiting our blog . There are several articles related to information security and team productivity!
1 comment
Comments closed