With discussions about privacy becoming even more intense and important, some regulations are being approved on the subject. One of them was the GDPR (General Data Protection Regulation), which deals with security within the scope of the European Union. There were also efforts to approve something similar here in Brazil, and the result was the LGPD (General Data Protection Law).
The new law seeks to control commercial relations and establish rights for holders. In this sense, companies need to pay attention to their principles in order to reorganize themselves to adapt their processes. This way, they can work on their projects, focusing on security and protection from the beginning and preventing risks of exposure, virtual attacks and fines.
If you want to learn about the LGPD and understand how to comply with this regulation, follow the topics below.
What is the LGPD?
The General Data Protection Law emerged in 2018, when it was sanctioned by the then president of the republic Michel Temer. The discussion, however, had been going on for some time. The objective was to create something similar to what is already in force in Europe, the GDPR.
Both laws seek to reinforce data security, establish respect for privacy and control on the part of people who provide information.
To manage this issue in Brazil, a body will be responsible for this: the National Data Protection Authority, or ANPD.
With this set of rules, the ideal is to make these relationships fairer, so as to affect users less. Thus, there is greater transparency and care from companies to prevent attacks on this personal data.
The law applies to any institution that processes data from Brazilian people in Brazil, regardless of whether it has a headquarters here or not. With this control, the standard requires a greater level of efficiency in data security management, which means that companies start to view the issue as a priority.
In other words, this is an advantage, since we are facing a scenario of virtual attacks and cybercrimes becoming common every day. In this case, it is necessary to protect people and their integrity, as well as penalize those who do not comply and do not take care of protection as they should.
From then on, security management stops becoming a secondary topic and becomes part of the customer experience as well. In other words, it becomes a differentiating aspect for companies and an obligation for them at every step of the customer journey.
What are the principles of LGPD?
In this topic, we will present in detail the main concepts that the general law prescribes.
Consent
One of the key terms the new law emphasizes is consent. Under the LGPD, it is necessary to obtain user approval before a company starts managing their data. In other words, it is necessary to establish a dialogue and request the consent of each holder, as only then will it be possible to use this data for internal operations.
This principle aims to contain the abuse of many organizations in collecting too much information in a non-transparent way. They end up leading the user to provide their information in an unclear way, without direct and formal approval.
There are, however, some exceptions to consent-based use. Are they:
- data related to legal obligations;
- for research studies;
- when there is preservation of the holder’s life as an end;
- data necessary for public policies.
- Purpose and need
Associated with the concept of consent are purpose and necessity. When requesting the use of data, companies must explain the reason for the use and make this issue very clear to customers.
This implies that the data must be used for well-defined activities and specified purposes. Therefore, the recommendation is: when there is no longer a need for use, the data should be deleted from the databases.
This point naturally generates a need for the organization of companies, which must map the data and know exactly what it is based on. With control that ensures that only the information that is currently being used is kept, the risks of loss and corruption of this information are considerably reduced.
Privacy by design
Another issue is the idea of privacy by design. This definition means that companies must ensure control over security and privacy from the beginning of project design. In other words, from the first steps of creating a product or service. This guarantees broad and unrestricted care that extends from start to finish to avoid compliance errors.
A practical example of this is the stricter control of privacy from requirements gathering, with data mapping and structuring the creation of channels for communication and requesting consent.
Partner Compliance
One of the most impactful points of the LGPD is its breadth. The law not only applies to companies that control the data, but also to other partners who receive this information and manage it. Therefore, it will be necessary to create compliance policies that are followed by all stakeholders, in a safe and accurate manner.
In this aspect, we can understand the relevance of questions about whether or not to be headquartered in Brazil. If Brazilian data is being processed by foreign companies, they are still subject to the rules.
Owner, person in charge, controller and operator
It is also essential to understand the terminologies of the new law, in order to clarify the role of those involved in data processing. We have four main terms: the holder, the person in charge, the controller and the operator.
The data subject, as we have already said a few times, is the owner of the personal information, who transfers it if he wishes, upon request for consent and presentation of the appropriate purpose. The controller is the company that collects and processes the data, uses it for some purpose and is responsible for what happens with these informational assets.
While the operator is the professional who handles the data at the behest of the controller, who may be a company employee, for example.
Finally, the person in charge is another requirement of the law: each organization must delegate the function of controlling compliance to a professional or a partner company. This employee will be responsible for monitoring the adaptation and ensuring that data is protected according to the standard.
Free access
The law also prescribes that data subjects must have free and simplified access to their data whenever desired. In other words, whenever necessary, customers have the right to request revocation of consent, modification, deletion, as well as any other operations. In this sense, companies must keep data always available and in good quality to meet these requests.
Portability
Still in the idea of free access, data subjects must have the ability to request data portability. This concept deals with transferring data in blocks so that the customer can use the same data on another platform.
It’s like the right to change operator, but keep the number. The customer is able to terminate the relationship with the company, but still has power over their data and can recover it.
Security control
Evidently, the law provides that companies must reinforce their security strategies. It is necessary to focus on greater transparency, control, visibility and combat the main risks. Supervisory bodies must always know what measures are being taken to guarantee this protection through accountability and presentation of reports.
Differences between data definition
Still on a conceptual level, it is essential to define the differences that exist in the conception of data in the LGPD. There is a clear distinction between personal data, sensitive data and anonymous data.
Personal data is the main asset controlled by law. This is data that allows the identification of any person. Sensitive data is more specific about people and can be the target of discrimination, therefore, the law establishes that greater care must be taken. They are: religious orientation, race, political opinion, etc.
Anonymous data is the opposite of personal data, as it undergoes some anonymization strategy, such as data masking or group data collection. Thus, they do not allow identifying a specific person.
When should the LGPD be complied with?
The LGPD would come into force in August 2020. However, due to the pandemic and the crisis generated by this situation, there were discussions that led to the postponement to 2021. In other words, it has been three years since the law was approved to come into force.
During this time, the ideal is for companies to prepare to establish compliance. With practical actions aimed at adaptation, the company can now reduce the impacts of change, in order to guarantee better results. By following the tips we will mention in this article, it is possible to continue in this direction.
As there are many actions, you need to start right away and plan what needs to be done. Leaving it until the last minute is not recommended and can cause losses.
Who is affected by the LGPD?
The scope of the law is one of the great highlights about it. It generates impacts for different sectors, both in entire niches and in departments within a company. Any organization that processes data from Brazilian people is subject to; and within companies, sectors such as finance, IT, HR and marketing/sales will be strongly affected.
In marketing, for example, it is very common to rely on strategies for collecting user data in an unclear way. In some cases, the company needs people’s contact details and forces them to receive messages and notifications via email.
However, this issue will need to change: each action must be agreed with the client, in order to obtain a clear and specific statement of consent.
Likewise, once the data is on corporate bases, it is necessary to follow what we have already said and provide the right of access, correction, deletion and portability. The consent that was initially given can be easily revoked, which guarantees that the owner has full control.
Therefore, campaigns and strategies that use this personal data must be redesigned. Likewise, the sales sector, which relies on data from CRM and pipeline systems, with records of contacts and potential customers. It is essential to have a broad vision and understand the points that require adaptation.
In this sense, companies entirely focused on marketing, which have this activity as their core, will need an even greater effort. Both the sales process and customer service will have to undergo adjustments as well.
In HR, teams often contain records of employees, partners, as well as candidates and former employees. Everything will have to be based on visibility and transparency. It will be necessary to obtain approval even from the collaborators themselves with an exact declaration of the data that will be used and for what purpose. The same method should be used with the others.
In finance, it is also necessary to apply the same care with information about transfers and payments, arising from customers and partners. Not adapting to the principles of the law can open loopholes that can generate huge losses for the company. We will discuss more about the effects in one of the following topics.
The technology sector will have the role of structuring the company and ensuring data protection. Faced with this new moment, it is the duty of the department’s professionals to ensure the pillars of information security:
- availability, which ensures that data is always available and accessible;
- integrity, which says that data must always be clear and complete;
- and confidentiality, which deals with access control.
Furthermore, the sector will need technological reforms to add tools that support this new moment. In general, it is essential to have a greater vision and have an analytical stance to optimize decisions.
How to comply with the LGPD?
In this topic, we will look at some practical approaches for adapting to the LGPD.
Be aware of the data
To begin with, it is essential that the company carries out good data mapping. In other words, it is necessary to identify which data is used in each system or project, who is responsible for managing this data, what is its life cycle, what is the purpose of this data, among other issues.
In fact, the company must start collecting the information that requires consent, in order to seek approval from its owners. This way, it is possible to have a guarantee to avoid compliance problems.
The mapping involves a diagnosis of all the company’s projects, systems and bases, in order to try to generate as much visibility as possible. Thus, management will have a broad view of all aspects related to the use of data, in order to obtain the necessary clarity to implement protective measures.
This map will help both with your own internal vision and with your ability to respond to requests from holders, according to your wishes, as we have already defined. If you need to change or delete, everything will be available and easy to access. It will also become easier to present the purposes of use to authorities.
Use good security measures
The other tip is to take care of safety by establishing some efficient practical measures. We are talking about reinforcing protection based on technology, which includes the use of good antivirus software, firewalls, backups, encryption tools, monitoring applications, among others.
In some cases, it becomes important to pay attention to cloud computing and its principles, as it represents greater data protection.
In this sense, adapting to the new law requires the company to reflect on itself and a total readjustment of the way it thinks and views technology. It is therefore crucial to seek support to invest in infrastructure changes and adopt modern applications that help monitor the network, data and systems, and that perform scans to protect against viruses and threats.
In this perspective, we can include the use of artificial intelligence to carry out predictive analyzes that identify risks. By using intelligence for this, management is able to predict possible problems before they arise, in order to prepare for them with combative actions. This predictability favors strategic planning, as well as reinforcing adaptation to the LGPD.
Document the data
After carrying out the mapping, it is also essential to document the data. This process will serve as a way to generate transparency and organize the use of personal data.
In other words, this step serves as an aid to reinforce the pillars of information security (availability, integrity and confidentiality), as well as allowing greater clarity in accountability for supervisory bodies.
Update yourself
In addition to a technical effort, compliance with the General Data Protection Law also requires a self-evaluation and mentality update. For this reason, it is necessary for companies to update themselves and know how to convey this to their customers.
This issue includes reviewing and redesigning privacy policies to allow data subject access, always request active permission and maintain focus on the purpose that was stipulated for each piece of data.
However, updating also involves changing the brand positioning to focus on law enforcement, as well as security and privacy as a whole. It is essential to try to create an image of a company that is truly committed to these issues, as this will help in its relationship with customers and improve its reputation in the market.
Of course, this change in policy serves both outsiders and insiders as a guide.
Work on employee engagement
Employee engagement is another crucial step, as compliance depends on the group, not just the leaders. All employees must be properly aligned and committed so that the process is natural and organic.
For this reason, management must train members about the points of the new law, as well as teach them about the practices to be followed. After that comes monitoring and inspection of actions.
Configure your systems
Marketing automation needs to follow LGPD rules in the same way as other fronts. It is necessary to reconfigure the systems in accordance with the new policies to ensure the best possible care with the ideas of the new law. For example, in the case of email blasts, the company will need to review its strategy in order to achieve compliance.
Work on communication channels
To ensure adaptation to the idea of free access, it is essential to open new channels of communication. The company must always be available for customer service so that the holder can request any of the operations we have already mentioned.
It is essential to think about the customer experience at this moment and seek omnichannel service: across different channels and media, in an integrated manner.
What are the penalties for non-compliance with the LGPD?
If companies do not comply when the law comes into force, various penalties may be applied. One of the penalties is the warning that may occur in cases of virtual attacks, with a set deadline for correcting the breaches. This one is a little milder.
However, depending on the severity of the events, a fine of up to 50 million reais may be imposed. This will certainly have a strong impact on the company’s finances, directly affecting its planning, health and sustainability.
Furthermore, there may also be data blocking, which results in operational downtime until the errors are resolved.
If they suffer attacks, companies will need to clearly inform what happened, the real impact, as well as the measures that are already being taken to remedy the losses. When there is a violation of the law, this factor may become public, which affects the organization’s reputation and credibility.
This problem can soon reach customers and have a negative impact on them. This lack of compliance becomes propaganda against the company and drives away new contacts and those who had already done business with the organization.
How can a specialist company help with LGPD compliance?
A specialized company offers help that the business would not be able to obtain otherwise. It offers expertise, with the necessary and in-depth knowledge on all aspects of the law, as well as being able to carry out an accurate diagnosis of the organization’s current condition.
With an outsider’s perspective and that of experts, it is therefore feasible to work on weak points and optimize already strong points. The support of a partner helps internal members not need to be overwhelmed and allows them to focus on other issues in the company’s core business.
This way, it is possible to identify risks and vulnerabilities, as well as eliminate errors in the company’s adaptation process. An external view also helps to determine specific solutions, according to the characteristics of the business.
Depending on the characteristics of the business, major changes to processes and systems may be necessary.
The LGPD has already been approved and will soon be in force. It is essential to comply with this law to avoid losses, as well as strengthen the company’s image in the market, with a better relationship with its customers and partners.
To do this, it is necessary to review policies, engage employees, create communication channels, among other actions. Counting on a specialized partnership can be the key to better results.
Did you like the approach to the topic? So, subscribe to our newsletter and stay up to date with our updates.