The General Data Protection Law, LGPD, turns 6 years old and according to data from 2023, more than 80% of Brazilian companies have not yet adapted to meet its requirements. The law was created with the aim of protecting the fundamental rights of freedom, privacy and the free formation of the personality of each individual. Considered a significant advancement in Brazilian legislation in terms of protecting information circulating on the web, the LGPD is the result of a spontaneous movement by Brazilian society and authorities.
Remember LGPD
Law No. 13,709/2018 addresses the processing of personal data, whether in physical or digital form, carried out by both natural and legal persons, whether public or private entities.
Personal data includes information related to identified natural persons, such as name, surname, ID, CPF (Brazilian Individual Taxpayer Registry), or unidentifiable information, such as geolocation data, IP address, device identification, among others.
In addition to personal data, sensitive data is also classified, characterized by information such as racial or ethnic origin, religious belief, political opinion, affiliation with unions or organizations, whether religious, philosophical, or political in nature, as well as data related to health, sexual life, genetic and biometric data.
In other words, any personal information provided in digital and physical mediums is used, stored and even processed in some way. To ensure the security of this information, LGPD ensures that nothing will be used without the user’s permission.
In practice, the law impacts all companies, whether micro, small, medium or large. Any activity that uses personal data in the execution of its operation, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation, or control of information, modification, communication, transfer, dissemination or extraction.
For example, when you go to the doctor and provide your personal information for registration. This information is stored in the doctor’s database, whether physical or digital. Therefore, the doctor must ensure the security of this data and cannot provide it to other individuals or companies.
Similarly, your customers, when signing up for your newsletter or providing data during a purchase. You need to make it clear to the customer for what purposes their data will be used and also ensure that it’ll be secure.
The law establishes a legal framework for the rights of data subjects, which must be guaranteed throughout the existence of the data processing carried out by the company. To ensure the exercise of these rights, LGPD provides a set of tools that deepen transparency obligations.
Who needs to comply with the law’s requirements?
The General Data Protection Law applies to any operation involving the processing of data, whether carried out by a natural or legal person, whether public or private. This means that public entities are also included in these adjustments.
It’s worth noting that it doesn’t matter whether the headquarters of this organization or data center is located in Brazil or abroad; whenever there is processing of information about Brazilian individuals or others, as long as they are in national territory, the requirements of the LGPD must be observed.
All market sectors operating in Brazil must comply with the legislation, including research and study organizations.
Benefits of LGPD for Your Company
One of the main motivations for the creation of the law was cyber attacks resulting in data leaks, similar to those that have occurred in companies like Facebook, Uber, Adobe, Banco Central and even the Ministry of Health.
Therefore, one of the main advantages of adapting your company to LGPD requirements is to increase legal and cybersecurity appropriate for current times. After all, IBM data reveals that Brazil ranks 4th in the data leak records and in the second half of 2022, Brazil showed an almost 50% increase in cyber attacks suffered.
Companies that comply with LGPD requirements improve their relationship with customers, conveying greater trust and generating more credibility for the brand. Additionally, increased awareness of data protection promotes access control to information, making risk mapping possible and reducing security flaws.
What Has Changed Over the 6 Years
Over the years, the law has undergone adaptations to become closer to the reality of entrepreneurs. Among them is the relaxation of measures for micro-businesses, small businesses, startups and similar entities.
In 2023, significant changes took place, such as the commencement of inspections and the imposition of penalties for illegal activities. This empowered the National Data Protection Agency (ANPD), the regulatory body responsible for inspections, with the aim of making the measures more efficient.
The approval of the Dosimetry Regulation and the appropriate application of sanctions by authorities were also important milestones in the previous year. As a result, the ANPD (National Data Protection Agency) (https://www.gov.br/anpd/pt-br) managed to impose its first fine, emphasizing the importance of companies being in compliance. Now, penalties can range from fines of up to 2% of revenue to the suspension of activities for a specified period.
However, there is still a long process ahead, focusing on continuous improvement until the percentage of compliant companies is higher, reversing the current proportion. The trend is that in 2024, the topic will be even more addressed, especially regarding the international transfer of data, also influenced by Artificial Intelligence.
Other aspects are also on the agenda for this year, such as the legal hypotheses for the processing of personal data, the definition of high risk and large-scale processing, the term of conduct adjustment and improvements regarding sensitive personal data, especially biometric data.
How to Get Started
Despite being 6 years since its creation, most companies have not yet made the necessary adjustments, mainly due to a lack of understanding of how the law works and what the first steps are to get started.
The first step is a cultural change, especially concerning File Management. It’s necessary to map the existing documents and data in the company to classify this information according to LGPD classifications.
Next, it’s essential to assess the impacts of the law within the organization and develop an action plan for compliance with the new rules. Internal policies and procedures should also undergo a review, with special attention to those involving the processing of personal data.
Appointing a professional or department responsible for compliance can facilitate the process, including training all employees on the new rules.
Investing in technology and security is also a fundamental step to ensure the confidentiality of circulating data, whether processed or merely stored. Hiring software that guarantees data protection, control and treatment is essential.
And, if you want to learn more about Data Protection Management, you can consult our ebook, available on our website.
Discover our solutions: Data Protection Management
Interact Suite SA offers a solution for LGPD Management, aligned with all principles of Brazilian legislation, ensuring control, protection and processing of personal data obtained in organizations.
The solution enables the creation, management and automatic generation of the Personal Data Protection Impact Report, a document required by ANPD (National Data Protection Authority), capable of certifying good data management by organizations.
Author:
Bianca Wermann
Journalist, Communication and Marketing Analyst at Interact Solutions.