The General Data Protection Law (LGPD) will come into full effect on January 1, 2021. From this date, Brazil will have specific legislation to protect the data and privacy of all Brazilian citizens.
Because it's a project of interest to all citizens, the LGPD (Brazilian General Data Protection Law) is raising several questions for Brazilian business owners: What is this LGPD law? Who will regulate it? How does it impact my company? What do I need to do to comply?
Considering these concerns, we wrote this article to determine what your company needs to do to comply with this new law.
What is LGPD?
The General Data Protection Law ( LGPD – Law No. 13.709 ) was enacted on August 14, 2018, and was scheduled to come into effect in August 2020; however, the deadline was postponed to January 1, 2021, due to the pandemic. This regulation establishes a series of rules that all companies and organizations operating in Brazil must follow to allow citizens to have more control over their personal data, ensuring transparency in the use of individuals' data in any medium.
Heavily inspired by the GDPR (European regulation approved in 2016), the LGPD determines how citizens' data can be collected and stipulates penalties to ensure companies comply with the law. These penalties range from a simple fine of up to 2% of the company's revenue in its last fiscal year, limited to a total of R$ 50 million per infraction, to a daily fine, observing the total limit of the simple fine.
With the LGPD (Brazilian General Data Protection Law), companies must make certain investments to standardize the collection of citizens' data and, above all, increase the security of this information. Regarding security, some steps may be necessary:
- User-approved consent for the use of data;
- Protect users' personal data;
- Implement a security and control service against unwanted access, viruses, phishing, and ransomware to guarantee the previous item. See article on Information Security in 2018: relevant facts and the increase in cyberattacks ;
- To respond quickly to any suspected threats; and
- Visibility and control over these security tools. See the article "Lumiun is one of the 117 startups that are changing IT in Brazil."
Who regulates the LGPD?
From August 2020, the body responsible for verifying, investigating and punishing, when appropriate, those who do not comply with the LGPD (Brazilian General Data Protection Law), will be the National Data Protection Authority (ANPD). The ANPD was created in 2018, through a provisional measure (MP 869/18) to monitor and apply sanctions described in the LGPD.
Therefore, it is very important that companies start now to seek the necessary adjustments in sectors such as IT, HR, Finance and Legal in order to avoid unpleasant penalties from the second half of 2020 onwards.
How does the LGPD impact my company?
One of the biggest changes that the LGPD (Brazilian General Data Protection Law) will bring is the control that the user will have over their data used by the company. In other words, the employee/citizen will have the right to know how their personal data is being used by the company.
Regarding the use of citizen data, Law 13.709 stipulates that the company must act in good faith and follow certain principles. Among these principles, we highlight the following:
- Purpose: carrying out the processing for legitimate, specific, explicit purposes informed to the data subject, without the possibility of subsequent processing in a manner incompatible with those purposes;
- Free access: guaranteeing data subjects easy and free access to information about the form and duration of the processing, as well as the completeness of their personal data;
- Security: the use of technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or dissemination;
- Prevention: adopting measures to prevent harm from occurring as a result of the processing of personal data;
Furthermore, the law establishes 9 scenarios under which a company's data processing is considered legal, of which we would like to highlight the first, which applies to most organizations:
- With the consent of the data subject. The company can only collect user data with their express authorization. This means that the individual must be notified of any and all actions involving the use of their personal data.
In short, the major impact of the LGPD (Brazilian General Data Protection Law) on companies is related to information collection and security policies. In this new scenario, users will have the right to full information about how the entity, whether public or private, will use their data, for what purpose, how and for how long it will be stored, and with whom it may be shared.
We know there is a lot that needs to be done within companies to comply with the new law. Therefore, it is important to reiterate that organizations should begin adapting their processes and products as quickly as possible to avoid fines from the ANPD (National Data Protection Authority).
Adapting the company: next steps
The LGPD (Brazilian General Data Protection Law) will apply to all sectors of the economy and to all sizes of companies. Even companies averse to technology and that still maintain their records on paper are subject to the new law. After all, it is the personal data of citizens that is stored by the company, regardless of whether the format is physical or digital.
The first step is to define a team responsible for analyzing internal procedures regarding data collection and the flow of this information within the company, involving third parties with whom the company must share this data. More contemporary companies call this team a " compliance ," meaning that being in compliance , or compliant , means being in conformity with external and internal laws and regulations.
With all workflows documented and deficiencies identified, it is necessary to initiate procedures to make data usage completely secure for both employees and the company.
How can Lumiun help with LGPD compliance?
The LGPD (Brazilian General Data Protection Law) requires data processing agents to adopt security measures capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication, or any form of inappropriate or unlawful processing.
Lumiun is a cloud-based service that protects your company from internet threats, making your network more secure and your team more productive.
Discover some of the benefits of Lumiun:
- It prevents attacks on the company network and adds a strong layer of protection against viruses and malware.
- It provides information about internet usage within the organization, with reports containing the websites accessed, times, website categories, etc.
- It allows the implementation of an access policy , with rules based on website category, security and reputation levels, and time of day.
- It increases network security , reducing the risk of data theft.
- It classifies internet access into categories and security levels, preventing access to harmful and unwanted .
- It protects and enforces access rules for all devices connected to the local network, such as blocking websites and social media, including computers, tablets, and smartphones.
- See more benefits and features on the Lumiun website: www.lumiun.com
In short, Lumiun helps your company comply with the security and prevention of the LGPD (Brazilian General Data Protection Law). It increases the security of all equipment (servers, computers, mobile phones), preventing access to harmful and unwanted websites such as hacking, malware, spyware, phishing, and online fraud. Furthermore, it has an easy and intuitive control panel to apply access control rules or view security reports, firewall logs, and real-time traffic.
Try Lumiun out using our demo panel.
Bonus
And for those of you who have read this far, we have a special bonus. We've created a document template that you can download and adapt to your needs, to be used to obtain consent from employees and users for the company to use their data. Download the Personal Data Processing Consent Form Document Template .
Another resource that may be of interest to you is the Sample Document on Internet Usage Policy in Companies . This document aims to inform employees about the company's internet usage policy in the workplace, demonstrating the professional's awareness of the rules for internet use, with the goal of ensuring the proper use of technology resources.
Did you like this article? Share it with your colleagues so you can work together to ensure your company LGPD- compliant
Do you have any questions? Leave them in the comments and I'll be happy to answer them.
2 comments
Comments closed