Brazil’s new data protection regulation will come into force in August 2020.
The General Data Protection Law (LGPD in Portuguese), which adopts best practices on transparency, legal certainty and efficiency, will make a difference in how companies in Brazil operate.
The legislation has an extraterritorial application, meaning the law applies to any individual or organization, public or private, that collects or processes personal data in Brazil – regardless of where that organization is based. It also applies to organizations that intend to offer services to individuals in Brazil.
Here are three keys to understanding this new law:
A solid framework for data governance
Gaps in the regulatory framework for management of personal data in Latin America have resulted in dangerous leaks, harming both companies and individuals. In recent years, technological advances have driven regulatory changes to protect the rights of job applicants and employees as well as companies when handling personal information.
One of the most important aspects of the LGPD provides companies with rules to establish a solid structure for governance and control of personal data. The new law is clear and leaves little room for ambiguity or interpretation. These are some of the principles that will frame data governance:
- A mapping of the data handling process, from collection to elimination, should be available. The origin of the data should be identified, in order to show that data complies with regulations.
- The purpose and use of the data must be identified. The LGPD lists 10 hypotheses that authorize the use of personal data.
- Companies should create workflows and tools to manage data traceability in order to have the ability to verify the data’s lifecycle, including any changes or access to the data.
- The law establishes that a Data Manager, similar to the Data Protection Officer (Data Protection Officer) established by the European Union’s General Data Protection regulation, should be responsible for the company’s compliance with rules regarding use of personal information of job applicants, employees or customers. The Data Manager ensures that the organization adapts this new regulatory framework and the practices to be followed in relation to the protection of personal data.
Better information security management, better reputation
Two primary issues in current data protection laws are related to the way data is obtained and for what purpose. Consent for collecting and using data, restrictions on its use and deletion of data are very specific aspects already included in almost all laws in the region.
But while compliance with data collection and its use is very important, the security measures required by current legislation for processing and using data are just as relevant. Companies are not only responsible for complying with regulations on data collection but also for monitoring and controlling the processing of this data.
Organizations that meet the requirements for certification under ISO 27001 have demonstrated good judgment regarding information security management, where it is equally as important to have an encrypted platform as it is to have a robust framework of internal policies that facilitate information security.
The payoff for these information security efforts will be a better reputation for the company and development of new business, in addition to drastically reducing the potential cost of fines. The new Brazilian law contemplates penalties up to 2% of the company’s turnover, limited in total to R$50 million (Brazilian Reals) per infraction.
LGPD: transparency and reliability for the individual
One important focus of the LGPD has to do with the experience of individuals vis-à-vis the handling of their information by a company. In this new technological context, transparency and reliability will be tangible indicators of competitiveness for companies.
The LGPD requires all companies that handle personal data, within Brazil, to establish channels for user support that ensures the individual has complete autonomy over information entrusted to the company. Data owners will retain the right to make changes or corrections and even to completely revoke their consent to use their data whenever they consider it appropriate.