On July 8, 2019, Law No. 13,853 was published in the Federal Official Gazette (DOU) with the purpose of formalizing the creation of the National Data Protection Authority (ANPD).
Basically, the ANPD as a national authority and public administration body is responsible for ensuring, implementing and enforcing compliance with the General Data Protection Law (LGPD) throughout the national territory.
According to the LGPD, the National Data Protection Authority is composed of:
- Board of Directors
- National Council for the Protection of Personal Data and Privacy
- Internal Affairs
- Ombudsman
- Own legal advisory body
- Administrative units and specialized units necessary for the implementation of the LGPD
In addition, the Board of Directors of the ANPD shall be composed of five (5) directors, including the Chief Executive Officer.
But law 13.853 did not consist only in the creation of the ANPD, it went further and established important changes for companies that need to adapt to the requirements of the General Data Protection Law.
The approved modifications were fundamental for the applicability of the LGPD. Since without the creation of the ANPD, the law risked becoming practically unworkable, contradicting a system that has demonstrated worldwide effectiveness.
LGPD requirements: law 13.853 went beyond the creation of the National Data Protection Authority – ANPD
The General Data Protection Law provides, among several competences, that the ANPD must ensure the protection of personal data and develop guidelines for the National Policy for the Protection of Personal Data and Privacy.
Therefore, the National Data Protection Authority has a great responsibility regarding the supervision of the requirements defined by the LGPD and that must be met by companies that must adapt to the new legislation that comes into force in 2021.
In addition to consolidating the creation of the ANPD, Law 13.853 was responsible for solidifying important changes provided for by data protection and privacy legislation:
- The law provides that data protection is of national interest, avoiding the proliferation of state and municipal laws that attempt to regulate the matter;
- The data controller may be a legal person, and its appointment will also involve the data operator. In the original version, this assignment was exclusive to the data controller;
- With the changes, the law excludes the obligation to inform the data subject in cases of processing of personal data to comply with a legal or regulatory obligation or when carried out by the public administration, for the execution of public policies provided for in rules or contracts;
- It expands the hypotheses of communication and shared use of sensitive data related to health, explaining the scope to those related to pharmaceutical care and auxiliary services of diagnosis and therapy. In addition, also in cases of portability requested by the holder, or for financial and administrative transactions resulting from the use and provision of said services;
- Health insurance companies are prohibited from using health data for risk selection, or for the purpose of hiring or excluding beneficiaries;
- It inserts the possibility to waive the communication by the controller to the data controller. This, in the case of sharing data that has undergone correction, deletion, anonymization or blocking of data, where such communication proves impossible or represents a disproportionate effort
- It establishes conditions for cases of sharing personal data, contained in databases in government agencies, to private entities;
- It brings the hypothesis of direct conciliation between the data controller and the data subject – in cases of individual leaks or unauthorized access -, prior to the application of legal sanctions;
- Establishes the need for the members of the ANPD Board of Directors, chosen by the President of the Republic, to be approved by the Federal Senate;
- It defines rules for the composition of the ANPD, its attributions and the origin of its revenues;
The ANPD has various roles and responsibilities, including investigating organizations that have suffered data breaches, imposing penalties where appropriate and generally auditing companies for their data collection and storage practices.
How does ANPD support the General Data Protection Law and businesses?
As the national authority responsible for overseeing and applying sanctions in case of non-compliance with data protection and privacy legislation, the National Data Protection Authority also aims to promote good practices in the processing of personal data and guidance on data protection.
In practice, the publication of law 13.853, creating the ANPD, consolidates the legal bases for processing, data auditing and privacy policies, aiming to ensure that the personal data of customers and employees are processed legally.
The importance of the ANPD for business
The publication of Law 13.853 was fundamental for companies that already face several challenges in their routine search for information security in their business processes.
There are often time constraints, budget and more pressing operational concerns that may take higher priority over cybersecurity.
But there are other issues as well, with the lack of knowledge in data protection and privacy that directly impact the difficult journey of meeting the requirements provided by the LGPD.
Therefore, the National Data Protection Authority should help companies understand their data protection responsibilities by providing resources, support and guidance, tailored to the needs of organizations according to their segment, size and applicability of data protection law.
In addition, the ANPD should also promote awareness among the population of public rules and policies on personal data protection and security measures, prepare studies on national and international practices on personal data protection and privacy, and encourage the adoption of standards for services and products that facilitate control over their personal data, which should take into account the specificities of the activities and the size of those responsible.
Indeed, technology is driving changes in the social, political, legal and commercial environment that the National Data Protection Authority needs to regulate.
The most significant data protection risks for individuals are now driven by the use of new technologies and so the role of the ANPD will be key throughout this process.
With just over a year to go, companies need to be aware of the next steps of the LGPD. That is, the implementation of the necessary compliance actions in accordance with the law.
About Eval
Eval has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.
With market recognized value, Eval’s solutions and services meet the highest regulatory standards for public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.
Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.
Eval, safety is value.
