The General Law on Personal Data Protection was enacted in 2018, with the aim of regulating activities focused on the processing of personal data in the process of contracting services and purchasing products. The LGPD for companies can be a big challenge for business leaders who still do not understand the main rules of the legislation and how it can be applied in the context in which they are inserted.
With this in mind, we have developed a content containing everything you need to know about the LGPD for companies. Check it out below:
LGPD: What is it?
The General Law of Personal Data Protection (LGPD), registered as Law No. 13,709/2018, is the legal reference document that addresses the treatment of personal data, available in physical or digital media, made by individuals or legal entities of public or private law.
This legislation arose amid the need to develop a regulatory standard for activities that use personal data in the execution of their operation. Although it may seem very specific, the collection of personal data occurs all the time in the process of providing a company’s services.
In retail, for example, it is common for stores to ask for personal data such as name and CPF in order to make an exchange, or to promote guarantees for the consumer. This simple act makes the establishment responsible for storing and ensuring the protection of this data in its operating platform.
In addition, according to the concepts published by the Brazilian Federal Government, the processing of personal data can be performed by two processing agents, which are the Controller and the Operator. These roles are extremely important to guarantee the terms involved in the LGPD, thus avoiding the application of fines and other punitive measures due to the violation of the standards established by law.
Besides them, there is the figure of the Officer in Charge, who is the person appointed by the Controller to act as a communication channel between all those involved in the transaction, they are: the Controller, the Operator, the data subjects, and the National Data Protection Authority (ANPD).
Who are the agents involved in the LGPD?
As previously mentioned, for the correct compliance with LGPD it is necessary that the agents involved in the transaction are fulfilling their role correctly. With that in mind, we have separated some of the main roles of each of these individuals in the list below:
Controller:
Generally speaking, the controller is a natural or legal person, of public or private law, whose main function is, the responsibility in making decisions regarding data processing. According to the LGPD leader of the Daryus Group, it is up to the controlling agent to determine its actions, rules according to its business model and its legitimate interest, in compliance with the law.
Operator:
The operator, in turn, is a natural or legal person, of public or private law, responsible for acting in the process of processing personal data on behalf of the controller. According to the concepts disclosed by the Daryus expert, this agent processes and manages the information according to the rules established by the controller.
Imagine that you are the owner of a company and your employee has unlawfully disclosed a customer’s personal data. In this case you are the controller agent, because, even if you were not responsible for disclosing the consumer’s information, you are the leader of the business, and the customer in question has entrusted his personal data to the company and not to a specific employee.
Your subordinate, on the other hand, would be the LGPD operator, i.e. the one who performs the processing and handling of the data according to the rules pre-established by the business leader.
Holder:
As its own name suggests, the holder is the agent who owns the data, i.e., in this case in question, the holder is the customer who has entrusted his information to the company. It is important to note that the main objective of the LGPD is to safeguard the privacy and security of the data subject.
Thus, in a situation of violation of the LGPD, as mentioned above, the controller of the company needs to be aware of what are the next steps to be taken to solve the problem.
National Data Protection Authority:
This is the federal public administration body responsible for regulating, implementing, and enforcing compliance with the guidelines laid out in the LGPD. Moreover, it is important to note that, in order to exercise these different functions, the authority has technical and decision-making autonomy guaranteed by law.
Since 2021, the ANPD has been authorized to apply penalties for violations of the current legislation. The penalties applied by the ANPD will vary greatly according to the type of violation. Thus, after an administrative process that will analyze the occurrence, penalties are applied, such as
- Simple warnings
- Fines of 2% of the company or group’s turnover in the last fiscal year
- Blocking or deletion of the data involved in the occurrence
- Suspension or prohibition of access to personal data treatment.
Which types of data does LGPD protect?
In the process of selling a service or product, companies may request various types of data. Therefore, it is common for business leaders to feel curious and at the same time lost about which type of data is protected by the LGPD.
According to the law, we have that ” Law No. 13,709/2018, was enacted to protect the fundamental rights of freedom and privacy and the free formation of the personality of each individual. That is, any personal data that can directly impact one of the aforementioned spheres is information protected by the LGPD.
However, the Brazilian legislation segregates two types of data, namely, personal data, aimed at identifying an individual in society, such as identity number, date of birth, CPF; and sensitive data, which are those directly linked to privacy and intimacy of the individual.
For your better understanding, we have separated below some data that is commonly requested for the provision of services:
- union membership;
- genetic data,
- biometric data treated simply to identify a human being
- health-related data;
- data relating to a person’s sex life or sexual orientation
- religion;
In addition to the data available above, the new legislation has also incorporated a third type of personal information. It is the anonymized data, which refers to the data concerning the holder that cannot be identified, considering the use of reasonable and available technical means at the time of its treatment. When the individual’s data undergoes the anonymization process, it ceases to be personal and becomes merely statistical, which is not protected by LGPD. In this way, the company can use it without restrictions for its own interests.
How important is the LGPD?
Unlike what many people think, LGPD was introduced with the aim of halting the great wave of data misappropriation and cybercrime that had been happening in Brazil in recent years. Before Law No. 13,709 of 2018, there was already a national regulation aimed at digital transactions, also known as the Marco Civil da Internet.
However, this regulation was no longer enough to ensure that individual rights were safeguarded in the information collection process. It was from this premise that the LGPD and its supervisory body emerged.
Today, the implementation of LGPD in companies represents not only a bureaucratic measure, but is also directly linked to the fight against cybercrime in Brazil. According to information published by CNN, Brazil is the country in Latin America that suffers the most from theft of personal data.
Moreover, with the advent of the pandemic, the Brazilian state has suffered a 106% increase in the number of cases related to cybercrime. These numbers are a reflection of the great technological revolution around the world.
Currently, new technologies emerge all the time, replacing analogical objects, generating greater accessibility and speed in operations. However, one of the big problems is that most companies and business leaders do not have the necessary protection in their systems, thus compromising the security of their customers and the organization itself.
Therefore it is necessary that Brazilian entrepreneurs are increasingly prepared to deal with external threats in their database. For this, you can count on Monitora’s digital solutions. Together, we can develop the best protection system for your organization.
The LGPD in companies
Until the year 2021, LGPD was only a measure for the future of Brazilian business. However, today, compliance with the legal standards for data protection is already a reality monitored by the ANPD.
The big problem is that, even after the passage of years, several institutions have still not managed to comply with all the prerequisites laid down in the law. As a consequence, these companies end up suffering legal sanctions for their lack of preparation and compliance with the norm.
There are already several approaches to comply with the General Law of Protection of Personal Data in the company. The first step to be taken is to hire a team specialized in the company’s technological security.
For you to be able to protect the information collected, it is important that your entire data system has a secure and scalable interface. In addition, it is also relevant that you perform inspections in your information system to verify possible unsafe behaviors that, indirectly, may be jeopardizing the efficiency of your processes.
Another very important point for companies is the hiring of a specialized team of lawyers. Just like any other area of law, the LGPD is also a sector that has its nuances and specificities. Therefore, it is important that the company’s processes are accompanied by an updated professional.
Although it may seem costly and stressful, this process of adaptation to LGPD is already a consolidated reality in Brazil. Large companies are already establishing their security standards, training employees and, especially, updating their software systems and digital technologies.
How to avoid sanctions under the LGPD?
The best way to avoid fines and other sanctions related to the LGPD is by creating an effective compliance program. In this way, the company will be able to check how the data treatment is done within the organization and adapting it to the legal requirements.
In short, when we talk about LGPD, all data processing must respect a basic tripod:
Be consistent with the principles of the law;
Be justified by one of the legal bases of the LGPD;
Respect the rights of the data subjects.
However, we know that to avoid fines in inspection processes, we need to understand much more than just the tripod of the functioning of the legislation. Thus, we have separated 4 crucial tips for your strategic planning on the LGPD:
1. Mapping the information stored in the database
One of the main mistakes made by Brazilian companies in the compliance program implementation process is not mapping the data (data-mapping).
This is a key point for the security of your information system, because when it comes to compliance with LGPD, data mapping provides an overview of how the company is treating the privacy and security of the data under its detention.
However, it is important to emphasize that this entire process must comply with the data protection regulations in force.
Contrary to what many people think, the mapping process is not a bonus in the security assurance process. In fact, this procedure is aimed at complying with art. 37 of the LGPD, where it was established to the responsible agents, the controller and operator, that the record of personal data processing operations must be kept stored in the company’s database.
Another important point is that this process must allow the path taken by the information within the company to be well established. Thus, after mapping, the way in which the data was acquired must be clearly defined, indicating issues such as
- what is the legal basis that supports the treatment of this data;
- what the security level of the database is;
- possible technical and legal weaknesses present in the information system.
2. Establish the Data Protection Officer (DPO)
The DPO or Data Protection Officer is the professional, or group of professionals, who have expertise in data protection. These individuals have the primary responsibility to monitor, supervise, and advise the controller, the data subjects, and the ANPD.
In short, their role is to ensure that the company is in line with data protection and privacy regulations.
See what the DPO’s responsibilities are, according to the LGPD:
I – Accept complaints and communications from data subjects, provide clarifications and adopt measures;
II – Receive communications from the national authority and take action;
III – Guiding the entity’s employees and contractors about the practices to be taken in relation to the protection of personal data; and
IV – Perform other attributions determined by the controller or established in complementary norms.
3. Managing data sharing with third parties
Another very important issue when it comes to ensuring LGPD is about sharing data with third-party institutions. This happens because most organizations work with outsourced services and this ends up resulting in the sharing of important information with other companies. But what is this data sharing?
According to current legislation, the shared use of personal data is employed when personal data is disseminated, communicated, reported and transferred, either within the national territory or between different countries.
Therefore, from the moment we use third-party institutions to carry out different processes in our company, it is essential that, in the flow of data sharing, the company collects the proper authorizations from the owners.
In addition, the processing of this data must be done properly, outside the risk zone of exposure or information leakage. Another important point is that it is essential to verify if the third parties are already in compliance with the General Law of Data Protection.
4. Adequate investments in information security
The large increase in the number of cybercrime cases in Brazil forms a highly unstable, dangerous, and worrisome scenario for the stability of companies. Currently, the country faces several cases of cyber attacks, exposure or loss of data, especially linked to financial issues or political exposure.
From this reality, we can see even more clearly the importance of investing adequately in highly skilled technology professionals, as well as in an information security infrastructure.
When the leader of a business unites digital security structuring with the provision of specialized professionals, the company will be in compliance with LGPD with regard to the privacy and security of its customers’ personal data.
Want to understand how you can strengthen your data protection system from the investment in information technology? Contact Monitora and find out the best solutions for your company!
