Business owners in the technology sector are already familiar with issues related to user privacy
This is because the use of user and customer data on the internet generates heated debates in the technological world.
For many, the boundaries are still not well defined.
With the introduction of the General Data Protection Law (LGPD) , the scenario changes.
There is no more room for uncertainty.
Companies that have customer and user databases need to understand what the law is about in order to avoid breaking the law !
If you are a business owner in the technology sector or are unsure about the law, pay attention to the following.
Privacy in the crosshairs of Europeans
Recently, the misuse of personal data in various leaks – including those influencing the 2016 US elections – has prompted the European Union parliament to develop specific legislation on the subject.
GDPR – General Data Protection Regulation – was created .
The regulation governs how data from residents of the European Union should be processed and influences companies worldwide , since the internet allows European citizens to interact with foreign websites and vice versa.
In short, European law protects citizens from the misuse and commercialization of their personal information.
It is important to emphasize that the Brazilian LGPD (Brazilian General Data Protection Law) was heavily influenced by the regulations put into effect in the old world.
But what exactly does the General Data Protection Law say?
The General Data Protection Law
Law 13.709/2018 , better known as the General Data Protection Law, was created in the global context of the discussion on privacy and aims to protect clients, users, and consumers from the misuse of their personal data by companies.
Although approved in 2018, the law gave a two-year deadline for adjustments.
The effective date of the General Data Protection Law (LGPD) has been postponed to January 1, 2021, due to the pandemic.
First and foremost, it is important to emphasize that Brazilian law governs any and all sensitive customer information, whether stored in physical or digital format .
Therefore, all companies must comply with the legislation , including those that are not in the information technology sector!
The main principles of the LGPD (Brazilian General Data Protection Law) are as follows:
-
Respect for privacy
-
Informational self-determination
-
Inviolability of privacy […]
-
Free enterprise, free competition, and consumer protection .
-
Human rights, the free development of personality, dignity, and the exercise of citizenship by natural persons.
As can be seen from the text, the main focus of the law is to protect citizens.
Precisely because of its legal focus, it is necessary for companies to understand the LGPD (Brazilian General Data Protection Law).
Failure to comply with its rules results in severe penalties, as will be seen later.
Taking all factors into consideration, who are the main parties affected by the General Data Protection Law?
The subjects of the General Law
The LGPD (Brazilian General Data Protection Law) lists four parties involved in the processing of sensitive data:
- The data subject is the person whose data is to be protected.
- The controller is the natural or legal person, governed by public or private law, who decides what will be done with personal data.
- The operator is the natural or legal person, governed by public or private law, designated by the controller who actually carries out the processing of personal data.
- The Data Protection Officer is the person designated by the controller and operator to act as a communication channel between all parties, including the regulatory and supervisory authority.
If your company possesses a database of customers' personal information, it certainly falls under one or more of the above scenarios and may be held liable for violating the law.
Another important point is that individuals are also subject to strict legal measures if they possess personal information about their clients.
It is therefore difficult to imagine a company that is not under the scrutiny of the new legislation.
But what exactly is the General Data Protection Law about?
Key points of the LGPD (Brazilian General Data Protection Law)
The General Data Protection Law (LGPD) contains principles that are important for companies to be aware of:
Purpose
Personal data must be used for the purpose for which it was intended and disclosed to the data subject. Any deviation from this use, including its sale to third parties, is a blatant violation of the LGPD (Brazilian General Data Protection Law).
Adequacy
In addition to respecting the purpose for which the data is intended, the company must ensure that its use is appropriate to the context , that is, that the data processing is contextualized and makes sense in relation to its initial purpose.
Need
The law stipulates that data processing should be limited to the minimum necessary to achieve its purposes .
Free access
Data subjects must be guaranteed easy and free access to information regarding the manner and duration of data processing, as well as the completeness of their personal data.
Data quality
Personal data must be accurate, clear, relevant, and up-to-date in relation to the purpose for which it was collected.
Transparency
The content of the stored data must be transparent, meaning the owner must have easy access to their information.
Security
The company must protect personal data from unauthorized access and from accidental or unlawful destruction, loss, alteration, communication, or dissemination.
Prevention
The data controller must take measures to prevent harm from occurring as a result of the processing of personal data.
Non-discrimination
The data cannot be used for unlawful or abusive discriminatory purposes.
Accountability and transparency
The agent must adopt effective measures capable of proving compliance with the rules.
What happens if a company violates the law? Let's see below.
What happens if the company violates the law?
The law provides for severe penalties in case of non-compliance:
- Warning , indicating a deadline for adopting corrective measures.
- Simple fine , of up to 2% (two percent) of revenue, limited in total to R$ 50,000,000.00 (fifty million reais) per infraction.
- Daily fine for non-compliance
- Publicizing the infraction
- data blocked until the situation is resolved.
- Deletion of personal data related to the infringement.
- Partial suspension of the database operation for a maximum period of 6 (six) months, extendable for an equal period.
- Suspension of the activity of processing personal data for a maximum period of 6 (six) months, extendable for an equal period.
- Partial or total prohibition of activities related to data processing.
The General Data Protection Law is extremely strict, which brings us back to the initial question:
So, should my company be concerned about the LGPD (Brazilian General Data Protection Law)?
Yes!
Currently, virtually all companies have databases about their customers and are therefore affected by the LGPD (Brazilian General Data Protection Law).
Those who fail to comply are subject to the full force of the law, which can range from a multimillion-dollar fine to a ban on carrying out the activities , depending on the case and the sector.
Don't be fooled about the potential lack of oversight.
The trend is towards a consumers ' right to privacy
Don't wait until you receive a legal notice or a fine!
The Lumiun Tecnologia has professionals specialized in this subject.
Stay informed about this topic
See our other article with 14 tips for complying with the LGPD (Brazilian General Data Protection Law) .
If you are interested in learning more about this and other topics in the technological universe, subscribe to our Information Security Week to receive weekly curated content on the subject.
Keep visiting our blog . It features many articles related to information security and team productivity!
1 comment
Comments closed