Law 13.709 known as the General Personal Data Protection Act (LGPD) was passed in August 2018 and will enter into force in August 2020.
But do you know what this law says and how it will impact your business?
A little over a year ago, President Michel Temer sanctioned the LGPD and since then, this issue has taken the sleep of many companies.
Fact is, the security of customer data has become the responsibility of companies that in turn, in addition to protecting, were prohibited from marketing and sharing this data.
With the sanction of LGPD, Brazil is among the countries that have a specific law for the protection of user data, being influenced by the GDPR (General Data Protection Regulation), data protection law sanctioned by members of the European Union in 2018, it is noteworthy that GDPR served as a model not only for Brazil, but for others to adopt the same rules or reinforce those already in force in their territories.
Under the new law, organizations will be required to establish high security rules for data protection, storage, processing and sharing policies, at the risk of significant penalties of up to 2% of company revenues up to 50 million.
What does LGPD say?
In line with European regulations, LGPD will change the way organizations function and operate by establishing clear rules on the collection, storage, processing and sharing of personal data, imposing a higher standard of protection and penalties for non-compliance. .
The law understands that personal data are those that allow the identification of people through the collected information and data processing is any action taken with such information as: collection, processing, categorization, classification, use, storage, sharing, deletion, among others. others.
With regard to data processing, we highlight two hypotheses that makes this action by companies lawful:
Providing Consent: The data owner must state their willingness to continue the relationship with a particular company;
Legitimate interest of the controller: Allows the processing of personal data for legitimate purposes considered from concrete situations. This is one of LGPD’s most questionable and debated points, as it can be interpreted in a way that allows the controller to conduct behavioral analysis and direct its advertising. In France, for example, the French National Data Protection Commission (CNIL) fined Google € 50 million for understanding that Google was conducting behavioral analyzes of its users in order to offer targeted products without any reasoning.
The law also determines some principles that organizations must obey, here we highlight four of them: adequacy, purpose, necessity and transparency. These principles have lit a warning in companies that accumulate data unplanned, LGPD goes completely against these habits and suggests that companies maintain immediate interaction with the data owner and that collection is done in a planned, appropriate and purposeful manner. already determined.
Profiles involved in LGPD
Holder: Individual who owns personal information
Controller: Agent (company or individual) responsible for planning, handling, giving purpose and storing the collected data. It is he who makes all decisions regarding the holder’s information.
Operator: Company or individual that is generally hired by the controller to perform the data processing and processing work.
In Charge: This profile created by law, (individual or corporate) will be the communication channel responsible for disseminating the company’s data processing policy to employees in order to comply with LGPD. In addition, the person in charge will be responsible for direct communication with the National Data Protection Authority (ANPD), which is responsible for editing LGPD rules and monitoring.
LGPD In Health, What Care Should We Take?
In the area of health, in addition to personal data, we are daily concerned with what in LGPD is called sensitive data that refers to: racial or ethnic origin, religious belief, political opinion, union membership, or religious organization. , philosophical or political, health or sex life data, genetic or biometric data, when linked to a natural person ”, this information deserves special attention in the treatment and storage, which is why we list some points of attention that we should keep in mind. handling of this information:
Why are we requesting the data;
What data we are requesting;
Where will this data be stored (local server, cloud) secure ?;
How long will this data be stored?
Will backups be made? How often?;
The General Personal Data Protection Act (LGPD) is a reality and here to stay, we must beware that we are not caught by surprise.
This article aims to inform and disseminate the importance of adapting to this new scenario, if in doubt always consult a lawyer you trust.