Being compliant with the LGPD (General Law for Data Protection) is a necessity for any business in Brazil today. More and more people understand that their personal data is important and want guarantees that it is used correctly.
In this sense, to support people in this scenario of intense information sharing, the LGPD law was created in Brazil.
Therefore, in this article you will understand the main points of the Brazilian law and organize yourself to comply with the 65 articles related to the life cycle of data. This cycle comprises steps such as collecting, processing, disclosing, and deleting other people's data.
Understand the LGPD
LGPD is law no. 13,709/2018, created in 2018 but which only came into force in 2021. Initially, companies had until August 2020 to adapt to the new requirements, but with the pandemic, the deadline was extended until January 1, 2021.
Before being created in Brazil, the GDPR (General Data Protection Regulation) already existed in Europe, with a similar purpose. Even though they are different regulations, the ultimate goal is to establish rules that companies need to follow to preserve people's data.
The objective is for people to have more control and clarity over the use of their personal data in any physical or online establishment.
However, according to the research “Privacy and protection of personal data” by the Brazilian Internet Steering Committee (CGI.br), only 23% of Brazilian companies have an area dedicated to data protection.
The truth is that even though there are several rules that companies need to follow, the LGPD can be beneficial for business too. After all, customers and users understand that companies are concerned about the treatment of their data. Consequently, they trust these companies and their products or services more.
Who needs to follow the LGPD
Simply put, if your company collects data from Brazilians to carry out its activities, it must comply with the LGPD requirements. Within the scope of the LGPD, companies of all sizes and areas of activity need to comply with the law.
To get a more detailed answer, you need to read the content of the law carefully, understanding which stages of your service and sales process fall under the articles.
Furthermore, your company may be the Controller or Operator in the processing of third-party personal data. Another important point is the location of customers, as it is necessary to evaluate where the data will be collected and processed.
6 essential steps to comply with LGPD
By following the steps below, your company will ensure compliance with the main aspects of the law. Consequently, you will have greater credibility with customers and future customers. And of course, it will avoid the sanctions described in the legislation.
1. Choose a person who will be responsible for data protection in the company;
2. Understand the company's data flow;
3. Find the problems in the current flow;
4. Create a process to ensure the management of DSAR (Data Subject Access Request);
5. Put in place a process for data breach notification;
6. Assess risks periodically;
Understand each of the steps in more detail by reading below.
1. Indicate a person who will be responsible for data protection in the company
Without a doubt, the first step is to determine who in the company will be responsible for the data protection area. According to the LGPD, a DPO (Data Protection Officer) must be appointed.
This person must organize and ensure compliance with the LGPD in the company, in addition to responding to the board about the general situation of the business.
In addition to the DPO, the entire company needs to be trained and empowered to handle other people's data responsibly. Any data that can identify a person falls within the scope of the LGPD law.
To ensure that all processes are happening correctly, it will also be necessary to carry out regular audits.
2. Understand the company's data flow
Identifying the flow that data goes through when it enters a company is a big, but necessary, challenge. After all, it is necessary to be able to carry out real tracking and guarantee that data will be deleted if a person requests it.
With a well-designed flow, confidentiality, availability, and integrity of data can be achieved.
To carry out this data flow mapping you can consider aspects such as: points of data collection, objectives of data collection, data sharing policies, and data retention systems.
3. Find the problems in the current flow
Data flows, especially soon after they are identified, can be improved. The gaps identified will serve to make improvements and achieve greater compliance with the LGPD.
It is important that each deficiency is well-defined so that you can carry out simple and effective actions later.
4. Create a process to ensure the management of DSAR (Data Subject Access Request)
When we talk about compliance with the LGPD, the first thing you should visualize is a way to make data collected from third parties available to these people.
The law guarantees several rights for individuals, including access, rectification, portability, deleting, blocking, and information. Therefore, your company needs to have a process to manage these requests effectively.
In this sense, your company must have a process for managing these requests, after all, the LGPD determines deadlines for the people to be responded to.
To comply with the LGPD, a company must provide data to a subject immediately. There are situations where the PDO has up to 15 days to provide a response to the person. In this case, a detailed report is sent, with information about the origin and storage criteria of the data.
Therefore, it is essential that companies have a platform that automates DSAR management. This makes the work simpler and there is a guarantee of compliance with the LGPD.
5. Put in place a process for data breach notification
Someone's personal data is very precious these days. After all, it is possible to find banking data, identification data, among other sensitive information within the amount of information collected by companies.
Understanding that this data is valuable, criminals are always trying to breach security systems to gain access to it.
And even if your company invests in security and has guidelines to keep databases secure, it is possible for a breach to happen.
Therefore, you need to have an internal process for notifying a data breach. Not only is this important but also it is an obligation under the LGPD.
In addition to knowing that a breach has occurred, the data security team and those responsible for GDPR compliance need to know what to do quickly.
According to the ANPD (National Data Protection Authority in Brazil), the organization must report the data breach within 48 working hours. If the data leak is very large and affects society in some way, it is possible that a public disclosure of the situation will be requested.
6. Assess risks periodically
The risks related to the misuse of third-party data are wide-ranging. This is because a company that works with suppliers and other agents during its operation needs to think about all the stakeholders.
To understand the size of the LGPD compliance operation, it is necessary to carry out a risk assessment. As this stage is delicate, it is interesting to look for a company specialized in this activity to carry out the initial analyses.
Then, periodic analysis also needs to happen and can be done by the company's internal data controller.
LGPD Compliance
Having a company that complies with the LGPD requires structure and financial and time investment.
Even though it seems very complex, when you start performing the tasks everything becomes simpler.
Whenever necessary, count on partners to carry out tasks, especially at the beginning of the entire LGPD compliance process.
Get in touch to answer your questions and share your needs with us: