Understand what changes with the General Law of Personal Data Protection and the actions your company needs to take to comply and avoid being fined.
“Can you tell me your CPF, please?” Between us, who here has not heard this question in a daily moment and found it, to say the least, strange or even invasive? The collection and use of data without the slightest explanation of purpose has become something commonplace. It was already known that sooner or later this would have to come to an end, or at least be controlled. That time has come! On August 26, 2020, the provisional measure 959/20 was approved by the Federal Senate, and the General Law of Personal Data Protection, also known by the acronym LGPD, came into force on September 18, 2020.
This law establishes a series of rules for the collection and processing of personal data that apply to any company in Brazil. This means that even if your company is foreign but works with data collected in Brazil, it will be subject to the LGPD. And the fine can be millionaire for those who do not comply with the law.
On this link you can find the full text of the General Law of Personal Data Protection. But if you are not very familiar with “legalese”, we have answered some of the main questions about the LGPD for you to update and plan the adjustments in your company.
What changes with the arrival of LGPD?
Basically, for individuals, what changes is that they can now count on more ethics from companies and other professionals regarding the sale and indiscriminate use of their personal data. Anyone can cancel the authorization they had granted for the processing of their data, forcing the company to stop this activity immediately.
As for the companies that handle personal data, they will have to make clear why the data is being collected and where it is going, always requesting the authorization of the owner (who is providing the data). In addition, they must respect several handling rules and good practices that aim to safeguard the identity of each individual who passes through the system. The elaboration and application of this compliance is unique to each business category, because data use varies from company to company.
Let’s give a simple example for you to understand a little of what changes in practice. Today, if you have a record in a social network here in Brazil, but wish to unsubscribe, the company will continue to have your data to use it for the purposes it wants. Even if it is only to redirect ads or send e-mails inviting you to come back.
With the LGPD, this will change. If you no longer want the company to store or use your data, you will be able to make that request. And, by law, you must be complied with. For this, there will be a dedicated body to inspect the companies.
What are the punishments for those who leak data? And who will supervise?
From a simple warning to a fine equivalent to 2% of the company’s annual revenue, which can reach R$50 million per infraction. The punishment varies according to the severity of the leak, and the procedures adopted by the company from the moment it becomes aware of the problem are also taken into account.
To fulfill its obligations, the new law provides for the creation of the National Data Protection Authority (ANPD), a body that must oversee companies in both the private and public sectors. A group of 23 representatives comprising both public and civil authorities, called the National Council for Personal Data Protection and Privacy, must also be formed.
However, with the recurring changes in the date for the law to come into effect, as a result of the uncertainties of the Covid-19 pandemic period, fines will not yet be imposed on those who fail to comply with its requirements. Administrative sanctions will be enforced as of August 2021.
Does LGPD apply only to digital data or to physical documents as well?
It is true that, with the current ease of capturing and exchanging data via the internet, it is difficult to think that personal data may not be tied only to the digital environment. But it is true. Even data collection through printed forms is subject to the LGPD.
The General Law on the Protection of Personal Data has come to put on track the use of personal data corresponding to all information that can in any way, alone or in conjunction with other data, identify an individual. And the definition of “personal data” is quite broad.
In the view of the LGPD, what defines personal data?
The most didactic definition to explain what the LGPD considers as personal data is: all data that can somehow generate an identification of the holder of that information, alone or together with other data. Name, email, CPF, IP address… all are considered personal data.
However, among this information, there is some that require special attention. This is the personal data of children and adolescents and sensitive personal data.
The latter refer to private information that may cause some damage or discrimination to the holder. To be more precise, from article 11 to 13 of the LGPD, sensitive personal data are: racial or ethnic origin; religious conviction; political opinion; membership in unions or religious, philosophical or political organizations; data concerning health or sex life; genetic or biometric data, when linked to a natural person.
Both in the case of children and adolescents and in the case of sensitive personal data, the rules for data collection and processing are stricter.
Is the General Personal Data Protection Law Brazilian?
Yes, but it was inspired by another regulation. The law that influenced the creation of our LGPD was the GDPR (General Data Protection Regulation), which was born after two controversies. One was caused by a massive data leak by Facebook during the US presidential elections. The other was the famous Snowden case, where a former CIA systems administrator made public details of various programs that spied on the personal data of citizens around the world, especially the US itself.
Participating in this law guarantees not only more ethics among Brazilian companies and professionals, but also allows international transactions to continue to take place without major problems. After all, in almost all of Europe, the law has already been in effect since 2018.
What are the first steps to adapt to the LGPD?
We have compiled some initial steps below. Remember that they do not exhaust any of the company’s obligations, nor do they represent a safeguard against risks. They are just a starting point for the compliance process.
- Complete curatorship of every piece of data or information on every individual in the system, including employees and contractors;
- Curation of the source of all data passing through the enterprise;
- Curation of the path and purpose of every piece of sensitive company data;
- Curation of the mode of operation of data capture and how it is currently handled and, if possible, simplify this procedure.
What structure do I need to have in order to adapt my company?
A very important concept of the LGPD is the definition of roles for each party involved. As we mentioned before, the person who provides the data is called the “owner“. The company that collects and uses the data is called the “operator.
But the law determines the creation of one more actor in this context. This is the “controller,” which can be a natural person or a legal entity. The controller will be responsible for making the decisions and monitoring how the company is collecting and handling the data. It is as if he is a guardian of the LGPD for the company.
Does this mean that everything should remain in the hands of the controller? No, on the contrary. It is essential that the company as a whole is aware of the requirements of the law and the risks that exist if they are not met.
Transparency and care with the use and treatment of data should be part of all the company’s processes. Therefore, the adequacy will not be simple and much less something that will be done only once. The rules require constant monitoring and adjustment.
One option for companies that need guidance to adapt is to count on outsourced companies. Vision Comunicação, for example, offers consulting services with specialized professionals to adapt to the rules, internal communication strategies to guide employees and awareness campaigns for the internal public about LGPD’s best practices. All customized according to your company’s needs. Click here to learn more.