What are the impacts of the LGPD on business? How to comply correctly? What are the deadlines? If you're still not up to speed, it's time to adapt as soon as possible.
The General Data Protection Act is the latest legislative requirement for both physical and digital data. It has become an order to protect all data under the responsibility of the company or controller, be it that of customers, users, suppliers, employees, etc.
That's why we've prepared a complete article so that you can find out exactly what the consequences of underestimating this new law are and how the correct compliance works. Check it out!
Emergence and objectives of the LGPD
The LGPD was approved in Brazil in response to the need to protect physical and digital data. Article 1 of Law No. 13,709 of August 14, 2018 states that:
Art. 1 - This Law provides for the processing of personal data, including digital data, by natural persons or by legal entities governed by public or private law, with the aim of protecting the fundamental rights of freedom and privacy and the free development of the personality of natural persons.
Article 2 lists the main objectives of the legal instrument, such as respect for privacy, economic and technological development and innovation, human rights and the free development of personality, among others.
Other objectives relate to strengthening citizens' rights, as well as better planning and definition of the collection and use of data through consent.
Impacts of the LGPD
It may seem like just another law that has come into force, but the LGPD is already attracting the attention of managers because of its many impact points. From now on, we'll talk in more detail about some of the main influences. Take a look.
Costs
Both in terms of implementation and sanctions, the law will have a financial impact. It is recommended that an expert or a specialized company assist in the process of adapting to the law. As for sanctions, the fines promise to be very heavy if the law is broken. Brazilian legislation provides for fines of up to 2% of an organization's total turnover, capped at a total of R$50 million per infraction.
Moreover, in more serious cases, the punishment can be even more severe! The ANPD can order the blocking of the personal data to which the infringement relates until it is regularized or even the deletion of the personal data to which the infringement relates.
Faced with this risk, it is necessary to carry out a personalized assessment of the company in order to recommend measures and tools to secure personal data against incidents of any kind. It is important that managers know how to turn this cost into an intelligent investment to optimize the organization's management.
Information monitoring will also be restructured and will require new training for IT professionals in order to process and store the data. Particularly with regard to compliance management, it will be necessary to comply with this law in order to guarantee the organization's compliance with national legislation.
We would also point out that article 48 of the law mentions important information such as the reporting of security incidents.
Art. 48: The controller must notify the national authority and the holder of any security incident that may cause relevant risk or damage to the holders.
The first paragraph of the same article also presents important considerations such as a reasonable time to communicate and the mention of the nature of the personal data affected, information about the data subjects involved, etc.
Other points of attention in the Law are:
- new technological tools for implementation and management;
- new data analysis process;
- among others.
In view of this, it is to be hoped that the new management solutions will already include this adaptation to the LGPD. The tools will have to work on the basis of transparency and data control with user authorization.
Restrictions on consumers
With regard to sales funnels, which are so common in digital attraction strategies, the LGPD will also have an impact on segmentation algorithms for marketing, remarketing and other actions. There will be no implied consent, meaning that all authorization must be clear and objective.
Communication
It must be made clear to the user how their personal data will be processed. Personal information is the property of the citizen and cannot be shared or exploited without their consent. Therefore, digital analytics, big data, artificial intelligence, digital advertising and publicity applications, among others, will have to exploit the data in accordance with the policies established in the new legislation.
Another point of attention in relation to communication is the relationship with consumers and businesses. There is no implied consent for approaches or interactions and the request for authorization to access data will affect the company's digital marketing strategies.
Tips for companies to adapt
It is important that the company seeks to integrate data managed by the LGPD so that the system is intact and aligned with the new needs. From now on, we'll talk about the main tips to make this implementation as successful and fast as possible.
Have a good plan
Plan your implementation. This is the first step for any increase in ready-made systems. Evaluate the main points of attention, software costs and other issues to ensure a correct installation. Remember that there's no point in just installing the application if it's not correctly installed. Otherwise, you could face the same penalties and financial losses in the future.
Appoint a person in charge
It is essential that the organization appoints an employee to be in charge of the entire process, from implementation to operation and monitoring. The person in charge of the company or controller should understand the organization's processes, relevant legislation and technology, preferably information security.
As we discussed earlier, it is likely that a new specific function for this control will be established once the law comes into force. Therefore, even if a specialized company is hired for this, the ideal is to have a dedicated employee.
Train staff
It will be necessary to train the team of employees responsible for the data management area. Establish new rules, policies and guidelines focused on compliance to ensure compliance with the LGPD.
Define best practices for data use without violation and secure processing in relation to user privacy. Employees in this area will be one of the main assets in this adaptation. Article 50 of the Law guides these practices. Specifically, item I considers:
I - implement a privacy governance program that, at a minimum:
a) demonstrates the controller's commitment to adopting internal processes and policies that ensure comprehensive compliance with standards and good practices regarding the protection of personal data;
b) is applicable to all personal data under its control, regardless of how it was collected;
c) is adapted to the structure, scale and volume of its operations, as well as the sensitivity of the data processed;
Understand the law in depth
Read the law and look for the main points of attention. Delve deeper to find out how the system will work and what programming adaptations will be necessary for correct adaptation. If possible, assign a collaborator with legal knowledge or a lawyer to properly interpret the wording of the law. The entire body of the law and its amendments must be studied.
Map the processes
Map out the collection, storage, use, transfer and disposal processes. Look for ways to improve this process and adapt it to the new requirements of the law. The main rules for collecting, using and processing data include:
- expressly informing the data subject of the purpose of the use and processing of their data;
- allowing free access to the holders of their information in its entirety;
- special protection using technological security measures against intrusions and unauthorized access to personal data;
- training and adaptation of password management and employee access to user data.
Implement intelligent management
Implementing intelligent and dedicated management is one of the main ways of paying attention to this new implementation. By opting for a company specializing in this field, the manager will have at their disposal a trained team that is totally focused on this management.
Adopt new tools and technologies
Technological tools, especially related to protection, will be fundamental to this adaptation. Anti-virus software, systems for blocking attacks, as well as others such as backing up data and user information will be essential. If your organization doesn't already have a policy on this issue, the LGPD will bring this new vision to guarantee the integrity of data subjects.
Another special tip at this point is to consider the cloud computing trend, which facilitates this security and optimizes the management of customer data. It is therefore important for managers to prioritize data management in order to improve the administrative process as a whole in the company's business project.
Review the privacy policy
Still on the subject of implementing security, it is important to adopt a policy focused on this point and to establish a series of adaptation measures that will mainly involve:
- documenting new routines and procedures;
- training and mentoring teams of employees;
- constantly updating information and sharing it with the teams;
- the constant updating of basic technology to implement and sustain the new measures;
- review of the organization's entire compliance management; among others.
Data controller
The company's adaptation to the LGPD also involves the implementation of a new function, such as the institution of a professional in charge of data processing (also called DPO in English texts). Take a closer look at what these terms mean.
Data Protection Officer
The Data Protection Officer or "DPO" is what this data controller is called in English. The legislation opens up the opportunity to create a new position exclusively for "DPO", which is the acronym representing this function. In other words, a career opportunity for an employee or a possibility for outsourcing.
This type of professional should mainly have the following skills and abilities, according to the law:
§ Paragraph 2 The foreman's activities consist of:
I - accept complaints and communications from owners, provide clarifications and adopt measures;
II - receive communications from the national authority and take action;
III - provide guidance to the entity's employees and contractors on the practices to be taken in relation to the protection of personal data; and
IV - perform other duties determined by the controller or established in complementary rules.
§ Paragraph 3 The national authority may establish additional rules on the definition and duties of the person in charge, including the possibility of waiving the need for their appointment, depending on the nature and size of the entity or the volume of data processing operations. ]
Punishments for non-compliance with the LGPD
Finally, we need to mention the main punishments for those who fail to comply with the LGPD. Neglecting this measure could lead to a series of problems for the organization. The impacts of the LGPD basically affect the financial health of the organization, but other points such as the destruction of image and credibility can also occur due to a lack of proper handling of this issue.
The main points of damage include;
- initial warning with the establishment of deadlines for the implementation of corrections in the digital system;
- heavy fines of up to 2% (two percent) of the turnover of the private legal entity, group or conglomerate in Brazil in its last financial year, excluding taxes, limited in total to R$50,000,000.00 (fifty million reais) per infraction;
- publicity of the infringement and consequent damage to the company's image and credibility.
- blocking and even deletion of the personal data to which the infringement refers until it is regularized, in more serious cases.
As we can see, the sanctions are too heavy to neglect this important demand. Hence the need to implement them as quickly as possible to ensure that this does not happen in the future.
Help from a specialized consultancy
A specialized consultancy can help with this. iT-eam has important differentials in this technology to help business managers ensure a good implementation. The main innovation tools include:
- IoT EAM with IBM MAXIMO, a business unit solution for asset management and ensuring process management reliability;
- analytics to improve business decisions and work with available data, as well as gaining insights to improve competitiveness;
- security, a security system in partnership with information security companies such as IBM;
- among others.
Outsourcing to implement the control and management of the LGPD proves to be a safer and more cost-effective way of preventing possible inconsistencies in compliance. A specialized company will have a team ready to address the issue and carry out the most appropriate actions to integrate the new functionalities into the organization's current business system.
If you haven't put this plan on paper yet, now is the time! Ensure credibility, compliance and reliability in your company with this extremely important measure to avoid suffering the impacts of the LGPD on your business.
If you want to speed up this process and ensure professionalism in this implementation, get in touch with our team now!
Leave a comment
See also:
iT.eam Copyright 2024 - Todos os direitos reservados.
Acesse nossa Política de Segurança da Informação. | Acesse nossa Política de Privacidade da Informação. | Acesse nossa Política Antissuborno e Anticorrupção. | Canal de Ética
