You can never be too careful when it comes to your reputation and finances. While this warning and guidance applies to many situations, it's especially important when it comes to complying with the LGPD (Brazilian General Data Protection Law) .
Eventually, the verbs "to adapt" and "to protect" don't always go hand in hand when it comes to the General Data Protection Law ( LGPD ).
Since it establishes legal standards, all Brazilian companies and organizations must adapt to and follow the LGPD (Brazilian General Data Protection Law) and ensure control and transparency in the use of citizens' personal data.
However, after almost a year in effect, doubts remain about how to effectively guarantee compliance with the LGPD (Brazilian General Data Protection Law ).
Consequently, this also applies to the protection of companies and organizations against penalties (fines and other administrative sanctions) resulting from violations or non-compliance with the LGPD (Brazilian General Data Protection Law).
What is the LGPD?
The General Data Protection Law (LGPD) is legislation that aims to protect the freedom and privacy of consumers and citizens.
Although it was published on August 14, 2018 (Federal Ordinary Law No. 13,709), and came into effect on December 28 of the same year, the LGPD (Brazilian General Data Protection Law) only came into full force on August 1, 2021.
In practice, the LGPD (Brazilian General Data Protection Law) demands changes in how people's data is collected, stored, and used. As a result, it significantly impacts the administrative, legal, communication and marketing areas, and especially the information security technology .
Eventually, by failing to comply with the LGPD (Brazilian General Data Protection Law), companies and organizations (including public and governmental ones) may be fined or receive administrative sanctions .
According to the LGPD (Brazilian General Data Protection Law), penalties can range from a simple fine of up to 2% of the company's revenue in its last fiscal year (limited to R$ 50 million per infraction), to the daily application of a fine (observing the total limit of the simple fine).
Without a doubt, this last paragraph clearly illustrates the idea of the first sentence of this article. After all, besides potentially leading to serious financial difficulties , it can compromise and destroy a good reputation .
Failure to comply with the LGPD (Brazilian General Data Protection Law) can be costly
Almost three years after its creation, on August 1, 2021, the National Data Protection Authority (ANPD) is authorized to apply the penalties foreseen in the LGPD (Brazilian General Data Protection Law).
According to an article on the G1 portal ( Failure to comply with the General Data Protection Law may result in penalties starting this Sunday , by Alessandro Feitosa Jr.), the ANPD (National Data Protection Authority) should begin the inspection process in an educational manner .
According to a resolution from the National Data Protection Authority, the guidance is to start gently and gradually. That is, to warn in order to educate. Of course, depending on the severity of the case.
However, failure to comply with the LGPD regulations may result in penalties such as :
- warning,
- Publicizing the infraction, which serves as a way to alert society that a particular company has violated the rules,
- A simple fine, of up to 2% of the company's revenue, which can reach a maximum of R$ 50 million per infraction
- daily fine,
- Blocking of personal data relating to the infraction
- deletion of personal data relating to an infraction,
- Suspension of the activity of processing personal data related to the infraction for a maximum period of 6 months, which may be extended for another 6 months
- Partial or total prohibition of activities related to data processing.
Watch the video above to get a good overview of the topic and see how important it is to comply with the LGPD (Brazilian General Data Protection Law).
Igor Pereira, who holds a doctorate and master's degree in law from the State University of Rio de Janeiro (UERJ), discusses the General Data Protection Law (LGPD) in practice .
According to him, the LGPD (Brazilian General Data Protection Law) is a digital milestone that regulates how companies and organizations collect, use, and now, must protect personal data and information.
Primarily, Dr. Igor Pereira emphasizes that, to comply with the LGPD (Brazilian General Data Protection Law), among the changes imposed by the new law, companies and organizations must pay attention to three aspects:
- The user's right to request that their data be deleted;
- Companies must obtain explicit consent from individuals beforehand for the use of their data for marketing purposes .
- Companies that fail to comply with the LGPD will be subject to fines
Adapting to the LGPD: a major compliance challenge
The LGPD (Brazilian General Data Protection Law) says a lot about the maturity of companies. In fact, it separates companies that have an effective compliance policy from those that don't have one or don't even know what it's about.
Compliance is an English term derived from the verb ( to comply ) which means to be in accordance with established and agreed-upon norms, resolutions, legislation, and/or a set of rules.
Much more than just "being," compliance is about acting in accordance with what is established in the General Data Protection Law (LGPD).
Above all, what matters and what protects is practice . Above all, doing what needs to be done, truly, is the best way to truly comply with the LGPD (Brazilian General Data Protection Law) and what exponentially increases the level of security and protection.
In this sense, from a Corporate Governance perspective, companies that have truly adapted and complied with agreements and legislation, for example, are well-regarded and have a better reputation.
Certainly, this is an achievement and an unequivocal demonstration of strategic intelligence , paving the way towards competitive advantages and excellence in management.
Ultimately, the level of maturity, culture, and internal policies reflect the quality of management .
LGPD: compliance versus protection!?!
The General Data Protection Law has a focus and approach specifically geared towards protecting personal data . That is, it exclusively protects against the processing of information related to individuals .
Therefore, two considerations are obvious. From these, it is possible to clearly understand the difference between adequacy and protection in relation to the LGPD (Brazilian General Data Protection Law) .
Firstly, in accordance with the very name of the General Data Protection Law (LGPD) , the focus is on the individual, the human person. Therefore, companies and other private entities are excluded from the "protection" of the LGPD.
Secondly, the effectiveness of personal data protection is only achieved through information security . This applies to both digital and analog means, such as physical files.
importance of information security technologies for the effective protection of personal data and information that companies and organizations need to make available to their customers and users is evident
How to comply with the LGPD (Brazilian General Data Protection Law)
Adapting to the LGPD (Brazilian General likely . To a greater or lesser degree, companies and organizations must be able to standardize the collection of their customers' and users' data and, above all, increase the effectiveness of information security technologies.
According to an article published on the Lumiun blog earlier this year by Aléx Oliveira, to comply with the LGPD (Brazilian General Data Protection Law), it is necessary to be in conformity with the new legislation .
See below for 15 tips to adapt to the LGPD and comply with the new legislation .
- To define a process for obtaining consent for the processing of personal data.
- Implement a solution for managing data subject rights.
- Develop a data retention and disposal policy
- To create and maintain a record of personal data processing
- Implement a solution for Data Protection Impact Assessment (DPIA) .
- DPO (Data Protection Officer) governance model .
- Hire an external consultant .
- Educate employees through a privacy training program .
- Install solutions for identity and access management .
- To structure, define, and formalize an incident management process .
- Review old contracts and update them with protective clauses.
- Include protective clauses in new contracts.
- Develop and maintain internal and external privacy policies .
- Implement a solution to increase internet and information security.
- To define a process for monitoring the regulatory changes of the LGPD (Brazilian General Data Protection Law).
Click here to read the full article.
Adapting to the LGPD (Brazilian General Data Protection Law) should mean effective protection
The pursuit of effective protection that complies with the LGPD (Brazilian General Data Protection Law) must provide undoubtedly demands quality and reliability in internet and information security solutions and technologies .
In fact, the trend is that the technologies in which companies and organizations should invest to ensure effective protection when complying with the LGPD (Brazilian General Data Protection Law) include solutions such as VPNs firewall devices .
Finally, it's worth remembering that, in order to comply with the LGPD (Brazilian General Data Protection Law), it is essential that managers seek knowledge and implement good information security management practices , and invest in effective internet security solutions in their companies and organizations.
