If you are a manager or entrepreneur, you have certainly heard about the new law that will directly impact companies in terms of how they handle data. But, after all, are you sure what LGPD is?
If you still can't answer this question, this article will help you. In the following topic, we will explain what LGDP is and why this law was created.
Before thinking about the definition, it is important to remember that it is necessary to plan a course of action to ensure compliance with the law within your company.
In this article, in addition to explaining what LGPD is, we are going to give tips on how to implement it in your company and talk about the risks that organizations that do not follow the rules run.
To understand the changes that the LGPD will bring about, let's start with its definition.
What is LGPD?
The LGPD (General Data Protection Law) or Law 13.709, of August 14, 2018, aims to regulate and control the processing of personal data by Brazilian companies.
In this context, any information through which it is possible to identify a person is considered personal data.
We can cite as examples of personal data names, surnames, addresses, birth dates, document numbers, telephone numbers, e-mails, IP addresses, among many others.
The LGPD then applies to all operations involving the processing of personal data carried out in Brazil.
That is, any person or organization that collects, stores or shares personal data of third parties will be impacted.
Taking into account that, in order to conduct their business, companies of all segments and sizes necessarily need to deal with a huge number of data from themselves, from employees, partners and customers, it is obvious that the LGPD represents the need for **significant changes* *.
One of the principles of the Law is to ensure that individuals have the right to access, change and protect their personal data considered sensitive.
The Law was published in 2018, but companies have until December 20, 2020 to comply with the rules. Some of its fundamentals are as follows:
- Respect for privacy;
- Informative self-determination;
- Freedom of expression, information, communication and opinion;
- The inviolability of the intimacy of honor and image;
- Economic and technological development and innovation;
- Free enterprise, free competition and consumer protection;
- Human rights, the free development of personality, dignity and the exercise of citizenship by natural persons.
To better understand what LGPD is and what it represents, we can think of examples, such as the fact that companies cannot access personal information without prior authorization from the customer.
And when the customer gives his consent, the company becomes legally responsible for the processing of these data and, if he does not comply, he may be fined.
For organizations that use data as assets, as is the case with many technology companies, the impact is enormous.
Often, these companies use the data to create strategic intelligence and be able to provide personalized service to their potential customers.
Personalized offers, in principle, are very welcome and favor customers, meeting their needs.
The problem is that customers almost always have their data collected and moved without knowing what and what is being done.
Therefore, the LGPD determines that, when requesting access to the personal data of customers, the company must inform for what purpose it needs them.
Thus, there will be the promotion of transparency in the relationship between companies and customers and an improvement in the user experience.
In addition, customers will become more aware of the value of their personal data and what can be done with it.
What happens if the company does not comply with the LGPD rules?
Given what we saw in the topic above, you understood that, in addition to knowing what LGPD is, it is necessary to make the necessary adjustments so as not to contravene the established rules.
If the company decides to ignore the LGPD or does not pay attention to all the details that need to change, it will have to bear the penalties.
Different penalties are listed in the LGPD according to the specificity of each breach of the Law.
The lightest of these is a simple warning, which is intended to educate the company.
But the most feared penalty is the fine, even though the simple warning can already damage the organization's image with its customers.
Fines vary according to the case and can reach up to R$50 million. There are also daily fines, which are intended to prevent misuse of data from continuing.
There are also cases in which the immediate interruption of all activities that use personal information within the company may be requested.
In other words, if your company is not yet following the LGPD rules, it is better to adapt as soon as possible, as the consequences can be very serious.
How to implement LGPD in your company
Now that you know what LGPD is and that trying to circumvent it is not an option, let's talk about the actions needed to fulfill it within your company.
The changes needed are not few. It will be necessary to review contracts and processes, in addition to contacting clients and hiring qualified professionals to handle data processing.
So, check out the steps below and see what adaptations you need to make.
Create an expert team to make data decisions
Since the data is so relevant to the company and the LGPD is about them, there is nothing more natural than having at least one professional within the company to take care of your treatment.
This does not mean that only this team or this professional will have access to the data that the company needs to deal with.
In fact, this team must make the decisions about data handling that must be followed in all internal processes of the company.
This team will also be responsible for meeting requests from customers and the regulatory authority.
You can hire professionals already specialized in data management or qualify existing members of your team.
The important thing is that whoever is responsible for this demand has a broad knowledge of the legislation and good data protection practices.
This team must monitor, from beginning to end, the collection, separation, mapping and destination of data within the company.
Map existing sensitive data
In addition to giving the correct treatment to the data that will be under the company's responsibility from now on, it is also necessary to take care of the existing data.
Review your databases and ask the entire team to list the data they handle on a daily basis.
With the list of processes and data handled, create a system or spreadsheets in which you can visualize the whole.
Check out how this information is collected and stored. Ensure procedures are secure.
Then, check if there was authorization from customers, employees or suppliers to collect these data as well as the date of consent.
If there is no authorization for some information, try to obtain it.
Check the reasons why the data was collected and who has access to it.
Create a way to collect authorizations
To understand what LGPD is, it is necessary to see people's privacy as one of its pillars.
Taking into account the importance of privacy, it is necessary to request authorization to access and use the information, in addition to informing the owner of the data for what purpose you intend to use it.
If you are going to use an authorization form, for example, it is important that it has clear and accessible language and that it is not pre-marked.
The customer, employee or partner must also be aware that they may request the deletion of their data at any time.
Justify all data movement
Keep your procedures up to date and keep any and all documentation that refers to data processing.
Inform information holders of any changes regarding its use and have the authorizations updated.
People need to know that their information is secure.
Control all entries, movements and exits of information from your database and have at hand the justifications for each action related to them.
Create a culture of data accountability
It is necessary to encourage all employees to take responsibility for data processing.
In other words, changes related to the LGPD should not be imposing, but implemented based on a new vision that should be shown to everyone.
You can promote the qualification of your team members with regard to data processing and information security, encourage good practices and provide training and training courses.
By gaining an alignment of the entire team, it will be easier to deal with potential conflicts, as everyone will know what to do.
Now that you know what LGPD is and how to implement it in your company, it's important to continue to understand the ways to handle data. Did you know that LGPD does not consider anonymized data sensitive? You can learn more about this subject by reading another article on our blog. Just click here.