The General Data Protection Law (LGPD) is more than a set of rules; it is a milestone in the way companies and individuals interact with personal data.
The LGPD tries to strike a balance between being strong enough to give individuals clear and tangible protection and, at the same time, being flexible enough to meet the legitimate interests of companies and the public.
An important starting point with the data protection law is the concept of personal data. The LGPD only applies when personal data is processed. Personal data is information by which a person can be directly or indirectly identified.
Let’s take a deep dive into the seven crucial points you need to understand in order to comply with this legislation.
The 7 points of attention of the Data Protection Act, what you should know
In general, the concept of the LGPD seems easy, right? But in practice it isn’t. Companies have had years to prepare for the entry into force of the new legislation, but most are still lagging behind in introducing processes and tools for users to exercise these new rights.
Companies are still struggling to provide the necessary resources to help users. It’s not as if one day after the data protection law comes into force, all our privacy problems will magically disappear. That’s why the LGPD’s points of attention are so important.
So you can better understand what the General Data Protection Law will look like in practice:
# 1: Objetivos da Lei de Proteção de Dados
The LGPD is not just a legal document; it is a social pact aimed at protecting individuals’ rights over their personal data.
The law seeks to guarantee total transparency during the processing of this data, requiring companies to collect only the information that is strictly necessary and to keep it for the minimum time required.
In practice, there is no need to read the official text of Law 13.709 of August 14 to understand the objectives of the General Data Protection Law.
Within our points of attention in the LGPD, we can simplify this legislation by recognizing users’ rights in relation to personal data and guaranteeing total transparency on the part of the platforms when processing this data.
From this practical point of view in our list of the LGPD’s points of attention, it becomes clear that the most sensible course of action for all organizations that provide services, digital or otherwise, should be to collect only the personal data that is necessary and to store this information only for as long as is necessary.
In fact, the articles of the LGPD focus on exactly this idea.
# 2: Para quem se aplica à LGDP
It doesn’t matter where your company is located; if you offer goods or services in Brazil, the LGPD is applicable. Complying with the law not only avoids heavy fines, but also strengthens customer confidence in your brand.
It is important to highlight in our list of points of attention of the Data Protection Law that any company that sells goods or services located in Brazil, regardless of its region, is subject to the regulation.
By complying with the requirements of the LGPD, companies will avoid paying expensive fines and improve the protection and trust of customer data.
# 3: A criação de um novo cargo nas empresas
According to the Data Protection Act, companies deemed responsible for their users’ personal data must delegate data protection to a controller, who will be responsible for protecting all personal data.
The Data Protection Act requires companies to appoint a data controller, a trained professional who will be the guardian of data privacy. This role is crucial to avoid legal sanctions and ensure that data processing standards are maintained.
It is extremely important that this person receives exclusive training on the legislation and related obligations, and that their knowledge of the subject is broadened.
This is important because the entire organization, as the data controller, could face administrative fines or other legal sanctions in cases where data processing standards cannot be maintained.
# 4: Avaliação dos processos e redução da exposição aos riscos
The GDPR requires a careful analysis of how data is used to make business decisions. Exposure to risks must be minimized, and every piece of information must be treated as personal data, depending on the context and purpose of the processing.
A piece of information that does not qualify as personal data for an organization can become personal information if a different company obtains possession of it on the basis of the impact this data may have on the individual.
It all depends on why the organization is processing the data. If an organization processes data for the sole purpose of identifying someone, then the data is, by definition, personal data and therefore the need to reduce exposure to risks.
# 5: Adoção do padrão de desenvolvimento Privacy by Design
The Data Protection Act is not something to be considered after the fact; it must be integrated into every stage of the development of products and services. Ignoring this can result in non-compliant systems and significant costs to correct these problems.
So why should you care about the Data Protection Act?
Firstly, because you (or the company) care about the privacy of the people whose data you process. And also because non-compliance can give your organization a bad reputation and lead to the payment of severe fines.
This means that it is very important to take the requirements of the GDPR into account at all stages, also in the design phase and when selecting, cleaning and using your test and backup data.
Failure to do so will result in systems that are not compatible with the legislation. Extensive and sometimes even impossible rework, at a corresponding cost, will probably be necessary to correct these problems.
So take these requirements into account from the outset and avoid creating technical debts in terms of privacy and data protection.
# 6: Atenção aos subcontratados e parceiros
The LGPD makes a distinction between a data processor (basically, the entity that processes personal data) and a data controller (the entity that decides the purposes and means of that data processing).
If you are a controller, it is your responsibility to ensure that your subcontractors also comply with the GDPR.
Controllers are required to use processors, including public cloud operations, that implement appropriate technical and organizational measures taking into account “the state of the art and the costs of implementation” as well as the nature, scope, context and objectives of the processing.
# 7: Multas aplicadas pela Lei de Proteção de Dados
The substantial fines that can be imposed by the LGPD are well known. Under the new legislation, sanctions are imposed by the National Data Protection Authority (ANPD).
According to the data protection law, the fine for the incorrect use of personal information is up to R$50,000,000.00 (fifty million reais) per infraction, or 2% of the turnover of the private legal entity, group or conglomerate in Brazil for the previous financial year.
In addition, companies are subject to additional administrative sanctions applied by the national authority, which could result in the business becoming unviable due to financial loss or the company’s name or brand being compromised in the eyes of the consumer market.
The LGPD’s points of attention are just the beginning, there’s a long road ahead
For many organizations, there is still a lot of work to be done before the Data Protection Act is properly implemented.
Eval has solutions for data discovery, application encryption, data tokenization, anonymization, cloud protection, database encryption, big data encryption, protection of structured and unstructured files on file servers and in the cloud, and key management to meet different demands in the area of data security. These are solutions for business to be compliant and protected against data leakage.
Eval can help your company unify business operations with data protection and security, enabling the measurement of risk throughout the organization to assist in the implementation of a comprehensive LGPD compliance plan.
About Eval
EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.
With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.
Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.
Eval, safety is value.