It may seem controversial to imagine that suddenly the General Law of Data Protection (LGPD), will come into force throughout the country. After all, Law No. 13,709/2018, which defines the new legislation, was sanctioned on August 14, 2018, establishing an 18-month adaptation period, scheduled to begin in 2020.
However, the law went through postponements in the same year it was to take effect (2020), and then it was expected to be extended to 2021 due to the COVID-19 pandemic.
But, between comings and goings in the National Congress and presidential approvals and vetoes, we are expecting the Law to come into effect at any moment. Unfortunately, these changes generate a lot of instability regarding the new legislation and a risk that can directly impact the main objective of the law: the protection and privacy of Brazilians.
In addition to the definition (or lack of clear definition), of the effective date of the LGPD, the Federal Government has recently established the structure of the National Data Protection Authority (ANPD)the body responsible for overseeing the protection of personal data, elaborating guidelines for the National Policy on Personal Data Protection and Privacy, inspecting and applying sanctions in cases of non-compliance with the legislation, among other duties defined in Law 13,709.
Expectations aside, companies and organizations need, more than ever now, to be prepared for the requirements that will soon be imposed by data protection law. Despite all this transition period, there are still questions about the LGPD that companies need to understand in order to comply with the new legislation.
To help clarify the main doubts, we have put together a list of the most important questions and answers so that you can adapt the LGPD to your business.
Questions and answers about LGPD that your company needs to know to comply with the data protection law
Although there is no universal checklist applicable to all cases, some problems arise more frequently than others. And these questions and answers about the LGPD will be relevant for years to come, as the new legislation has no expiration date.
#1. Are you a data controller or data processor – do you determine the purposes and means of the processing of personal data or do you process personal data on behalf of another party?
Answering this question is crucial to determining the scope of your obligations under data protection law. Of all the questions and answers about the LGPD, this one will probably guide you to most of the actions that need to be taken going forward.
Data controllers decide what data is collected, for what purpose, how it is processed, and for how long. This means that you are responsible for fulfilling a wide range of obligations, such as protecting the data, meeting the objectives of, for example, data minimization and processing transparency. You are also the one who has the obligation to respond to and facilitate the exercise of the data subject’s rights.
On the other hand, if you are a data processor, you process data on behalf of a controller and only within the scope that it has determined. Therefore, you cannot make decisions about what personal data is processed and how. Your primary duty is to protect the data you process from unauthorized access, modification, etc.
#2. Do you perform all processing activities yourself or do you use third-party processing services, such as server rental?
If you use a third-party processing service, you must enter into a specific written agreement (including in electronic form), which should regulate in particular the object and duration of the processing, the nature and purpose of the processing, the types of personal data and categories of data subjects, and the obligations and rights of the controller.
Remember that even if you do not process the data yourself, you are still responsible for the processing. Choose only those companies that guarantee to implement appropriate technical and organizational processing measures to meet the requirements of the LGPD and ensure data protection.
The set of questions and answers about the LGPD also apply to third-party companies.
#3. Who can access your company’s personal data? Are there different levels of access for different positions?
The fact that you, as the controller or processor, have the right to process the data does not mean that all your employees can access it – it should only be the people whose position within your company requires that they have these rights.
Remember to specify the scope of the authorization – what kind of data they can access (e.g. customer data, employment-related data) and what they can do with the data. Some people will need to have full access, including the right to enter, modify or delete the data, while for others just the right to view the data will be sufficient.
#4. Is all the data you collect really necessary for the purpose of your processing?
One of the main rules of personal data protection is data minimization. It obliges the controller to limit – by default – to the minimum necessary the amount of personal data collected, as well as the extent of its processing, the period of its storage, and its accessibility.
Remember to take this into account when auditing your databases and when designing new data flows (creating forms, making decisions about activity tracking, etc.).
#5. How is the collected data used – what is the purpose of processing personal data?
Data may only be processed for specified, explicit, and legitimate purposes and may not be processed in a way incompatible with those purposes.
# LGPD 6. Do you collect sensitive data – such as health records, data on racial or ethnic origin, religious or philosophical beliefs, etc.?
Processing sensitive data is prohibited by default and can happen only in specific circumstances described in the LGPD, so a general recommendation would be to avoid processing such data altogether. If this is not possible, seek legal advice to identify remedies that provide a legal basis for processing such data.
#7. Have you checked whether there are processes in your company that require a data protection impact assessment to be performed?
Such an assessment must be carried out in the case of processing that – taking into account its nature, scope, context and purposes – is likely to result in a high risk to the rights and freedoms of individuals, in particular due to the use of new technologies.
It may be necessary in specific cases, including:
- The systematic and comprehensive assessment of personal aspects relating to natural persons that is based on automated processing, including profiling, and upon which decisions that produce legal effects on the natural person or significantly affect him/her are based.
- The processing of sensitive data on a large scale.
- The systematic monitoring of a publicly accessible area on a large scale.
#8. How will the right to data portability be handled? In what format will the data be provided to the data subject or to another controller at the data subject’s request?
The right to data portability can be exercised if the data subject has provided data to a controller. The processing is performed by automated means and is based on one of the following legal bases – the data subject’s consent or a contract to which the data subject is a party.
It allows the data subject to request a copy of their data in a structured, common, and readable format. The LGPD does not provide further specifications of this format, so it is up to the controller to choose it, keeping in mind that the data subject may request that the data be transmitted directly to another controller.
#9. How can a user request access to his/her data, including receiving a copy of his/her personal data being processed? Will this process be conducted manually or automatically? In what format will the copy be provided?
The data subject may ask the controller for a copy of his or her personal data being processed. When this right is exercised for the first time, the controller must provide this copy free of charge, but in case of further requests, the controller may charge a reasonable fee based on administrative costs.
Unless otherwise requested by the data subject, if the request is made by electronic means, the information must also be provided in electronic format.
In preparing for the data subject to exercise their data rights, the controller must ask itself a handful of important questions, the most important being:
- How the request can be made – using a dedicated website, with a request form and instructions, or perhaps, for example, by e-mail;
- This process will be conducted either manually or automatically;
- In the first case, there are enough trained personnel to handle the incoming workload;
- The existing procedures and organizational means allow such requests to be met without undue delay.
#10. Will data be shared with third parties, including within your group? When, how, on what legal basis?
When you are the data controller, sharing data with other entities can take two forms:
- The processing will be carried out on your behalf, you specify its purpose, duration, the obligations of the processor, and so on – in this case you need to conclude a contract regulating all these issues with the processor, and you do not have to ask the data subject for his or her consent to do so;
- Your company loses control over the data it shares and its processing, and the recipient becomes an independent controller of that data – in which case you will need a legal basis for sharing personal data (e.g. consent from the data subject specifying with whom you share the data and for what purpose).
Questions and answers about the LGPD that went beyond the basic concept
Basic questions like “What is LGPD?”, ” What is personal and confidential data?”, “When does LGPD go into effect?” have been left out to show that data protection law is directly linked to your company’s business processes, and therefore the goal of data protection law implementation should be something more in-depth.
This means that questions and answers about the LGPD should focus on tools, features such as the adoption of electronic signatures, encryption, training, among other points that were not portrayed in our list. It is necessary to go further.
With a little over a year to go, companies need to keep an eye on the next steps of the General Data Protection Law. That is, the execution of the necessary compliance actions before the LGPD went into effect.
Companies like EVAL help you implement your strategy to meet expected requirements before LGPD takes effect with solutions to assess risks, enforce policies, protect data, respond to incidents and requests, and prove compliance.
EVAL can help your company unify business operations with data protection and security, enabling risk measurement across the organization to assist in implementing a comprehensive LGPD compliance plan.
About Eval
EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.
With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.
Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.
Eval, safety is value.
