The LGPD(General Data Protection Law) tries to strike a balance between being strong enough to give individuals clear and tangible protection and, at the same time, being flexible enough to meet the legitimate interests of companies and the public.
An important starting point with the data protection law is the concept of personal data. The LGPD only applies when personal data is processed. Personal data is information by which a person can be directly or indirectly identified.
Most people are aware that, for example, a name, address and e-mail address are personal data. But there’s more. Furthermore, an IP address or device ID is considered personal information, in addition to various other pieces of information.
The 7 points of attention of the Data Protection Act, what you should know
In general, the concept of the LGPD seems easy, right? But in practice it isn’t. Companies have had years to prepare for the entry into force of the new legislation, but most are still lagging behind in introducing processes and tools for users to exercise these new rights.
Companies are still struggling to provide the necessary resources to help users. It’s not as if one day after the data protection law comes into force, all our privacy problems will magically disappear. That’s why the LGPD’s points of attention are so important.
#1: Objectives of the Data Protection Act
There is no need to read the official text of Law 13.709 of August 14 to understand the objectives of the General Data Protection Law. Within our points of attention in the LGPD, we can simplify this legislation by recognizing users’ rights in relation to personal data and guaranteeing total transparency on the part of the platforms when processing this data.
From this practical point of view in our list of the LGPD’s points of attention, it becomes clear that the most sensible course of action for all organizations that provide services, digital or otherwise, should be to collect only the personal data that is necessary and to store this information only for as long as is necessary.
In fact, the articles of the LGPD focus on exactly this idea.
#2: Who the LGDP applies to
It is important to highlight in our list of points of attention of the Data Protection Law that any company that sells goods or services located in Brazil, regardless of its region, is subject to the regulation.
By complying with the requirements of the LGPD, companies will avoid paying expensive fines and improve the protection and trust of customer data.
#3: The creation of a new position in companies
According to the Data Protection Act, companies deemed responsible for their users’ personal data must delegate data protection to a controller, who will be responsible for protecting all personal data.
It is extremely important that this person receives exclusive training on the legislation and related obligations, and that their knowledge of the subject is broadened.
This is important because the entire organization, as the data controller, could face administrative fines or other legal sanctions in cases where data processing standards cannot be maintained.
# 4: Evaluating processes and reducing exposure to risks
Data protection law requires consideration of how data is being used to make business decisions about specific individuals.
A piece of information that does not qualify as personal data for an organization can become personal information if a different company obtains possession of it on the basis of the impact this data may have on the individual.
It all depends on why the organization is processing the data. If an organization processes data for the sole purpose of identifying someone, then the data is, by definition, personal data and therefore the need to reduce exposure to risks.
# 5: Adoption of the Privacy by Design development standard
Why should you care about the Data Protection Act?
Firstly, because you (or the company) care about the privacy of the people whose data you process. And also because non-compliance can give your organization a bad reputation and lead to the payment of severe fines.
This means that it is very important to take the requirements of the GDPR into account at all stages, also in the design phase and when selecting, cleaning and using your test and backup data.
Failure to do so will result in systems that are not compatible with the legislation. Extensive and sometimes even impossible rework, at a corresponding cost, will probably be necessary to correct these problems.
So take these requirements into account from the outset and avoid creating technical debts in terms of privacy and data protection.
#6: Pay attention to subcontractors and partners
The LGPD makes a distinction between a data processor (basically, the entity that processes personal data) and a data controller (the entity that decides the purposes and means of that data processing).
Controllers are required to use processors, including public cloud operations, that implement appropriate technical and organizational measures taking into account “the state of the art and the costs of implementation” as well as the nature, scope, context and objectives of the processing.
#7: Fines imposed by the Data Protection Act
The substantial fines that can be imposed by the LGPD are well known. Under the new legislation, sanctions are imposed by the National Data Protection Authority (ANPD).
According to the data protection law, the fine for the incorrect use of personal information is up to R$50,000,000.00 (fifty million reais) per infraction, or 2% of the turnover of the private legal entity, group or conglomerate in Brazil for the previous financial year.
In addition, companies are subject to additional administrative sanctions applied by the national authority, which could result in the business becoming unviable due to financial loss or the company’s name or brand being compromised in the eyes of the consumer market.
The LGPD’s points of attention are just the beginning, there’s a long road ahead
For many organizations, there is still a lot of work to be done before the Data Protection Act is properly implemented.
Eval has solutions for data discovery, application encryption, data tokenization, anonymization, cloud protection, database encryption, big data encryption, protection of structured and unstructured files on file servers and in the cloud, and key management to meet different demands in the area of data security. These are solutions for business to be compliant and protected against data leakage.
Eval can help your company unify business operations with data protection and security, enabling the measurement of risk throughout the organization to assist in the implementation of a comprehensive LGPD compliance plan.
EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.
With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.
Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.
Eval, safety is value.