Privacy, data protection and business

LGPD

The LGPD is, in particular, for companies that carry out some data processing in Brazil the most important regulatory framework in order to certify the compliance of their operations with respect to privacy and data protection, a growing demand from all interested parties. This, it should be stressed, is a requirement aimed at allowing the regulations to be complied with, simultaneously taking advantage of the possibilities brought by big data in business and decision making.

In addition to this context, the ANPD announced on January 28, 2021, its regulatory agenda for the 2021-2022 biennium. Specific regulations for microenterprises, small companies and startups are highlighted; rights of holders of personal data; calculation methodology for applying fines; reporting of security incidents; impact report; person in charge and chances of waiving his appointment; definition of the content of standard clauses; and legal assumptions for processing personal data.

This eliminates any doubts regarding the urgency of adapting business to the guidelines of a data governance program. That is, the obligation to adopt good practices for managing availability, usability, integrity and security of data, based on a set of rules applicable to the organization’s activities, which must be consciously followed 24/7.

See, for example, the expressive increase in the number of complaints from personal data holders in the European Union after the GPDR has started. Explain, first, that in that space, people have the right to lodge a complaint before the data protection authority of the Member State, the place of residence, work or where the alleged violation occurred, without prejudice to seeking other administrative or judicial reparations (Art. 77, GPDR). According to a report by Deloitte, between 2016 and 2018 in Denmark complaints increased from 1673 to 5515 (230%); in Austria from 180 to 1036 (475%); and in France from 7703 to 11077 (44%).

This factor undoubtedly highlights the importance of complying with a company’s operations with legislation and regulations on privacy and data protection. After all, the potential for expanding the number of judicial and administrative proceedings, initiated based on complaints from holders of personal data and unilateral interpretations of LGPD provisions, is concrete.

In this context, a diagnosis of operational processes and flows is essential, in order to point out problems, vulnerabilities and risks in relation to the way in which personal data processing operations take place. It is based on this data mapping that it becomes possible to identify the areas of the organization impacted by the LGPD and, consequently, the possible points of non-conformities that require the implementation of a specific solution.

Wilson Sales Belchior