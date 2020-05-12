Warning: use of cookies! In recent months, this message has attracted the attention of Internet users when browsing a new website. This frequent warning is one of several changes that Brazil will experience with the arrival of the General Data Protection Law, also known as LGPD. Society is, in fact, entering the information age as a consumer good.

This moment is part of the so-called revolution 4.0. Considered the Fourth Industrial Revolution, this industry represents very well the moment that society is in, where data are decisive for any business. The new data protection law came to change the functioning of all companies, in Brazil and in the world, but it still seems nebulous to many. A survey conducted by Reclame Aqui in 2019, for example, showed that 41.6% of Brazilian companies still do not know what LGPD is.

But before understanding the law, it’s important to understand its context and why investing in data protection is so important going forward.

How did the LGPD come about?

The origin of all this is in information, since it is the most valuable asset for generating business. One of the first to understand the value of the data was psychology professor Aleksander Kogan, who collected data from more than 270,000 users through a Facebook test. He gathered information such as name, surname, location and pages liked on the social network and sold it to a company called Cambridge Analytica.

In 2015 this fact became known to the creator of the network Mark Zuckerberg, who accused the professor of data breach, since Facebook prohibits the transfer of information to third parties. The test was suspended and the data was deleted – or so it was thought. From then on, the discussion of data protection emerged with even more force.

This case spurred the creation of the General Data Protection Rules (GDPR), a set of European Union laws aimed at regulating data privacy. And it was from the GDPR that the discussion of LGPD in Brazil emerged, since the country also needs to adapt to the law to be part of the economic bloc.

What is LGPD?

But what does LGPD mean in practice? From the moment the computer is turned on or the cell phone screen lights up data is being provided. However, it is necessary to understand that data is not only that which exists in the digital environment, as explains Welington Strutz, pre-sales manager at Qriar Tecnologia.

“A building that collects data from people who enter and leave is a very clear example of who should adapt to the LGPD, even if the medium used is paper and pen”, he says. “If I own this building, it is important to make it clear to the visitor the reason or purpose for collecting this information, and not simply to say that it is ‘for registration purposes’. The purpose of the law is to allow people to be owners of their data, understand the reasons why they are collected and can decide whether or not they want companies to have access to them “, he says.

As mentioned, all users are being bombarded by the cookie notice when visiting a news portal, for example. As much as no financial transaction is being carried out there, there is an exchange of data where the portals redirect news. These data were, until then, being collected and used, many times, without the user’s consent.

“It is necessary to discover the personal data that the company collects, whether from customers, employees and business partners, to review the reasons for which this data is being collected, and to find opportunities to simplify administration, reduce the number of registrations through consolidation where possible, and improve the experience of cardholders in accessing and managing their information on digital channels “, explains Welington. “Our job at Qriar is to enable digital businesses by balancing convenience and protection in access, through solutions centered on identities and APIs that connect people, their devices and information in a practical and secure way.”

Who should comply with the new data protection law?

In other words, every company that collects customer information will need to comply with the new data protection law, no matter the size or use of that collected data. “It’s about empowering information holders to decide to keep, delete or manage what data will be used and how,” explains Welington. “And that goes from a building ordinance to the Human Resources department of a company that keeps resumes; companies that have only a dozen registrations or companies with a gigantic database”.

According to a survey conducted by Capterra, only 40% of small and medium entrepreneurs are prepared for the arrival of the LGPD in Brazil. The law will require companies to make an ongoing investment to protect customer data. The LGPD will not be applied only in cases of journalistic use, academic use, use of public security and in case of data that originated in another country and are only passing through Brazil.

Force and penalties for non-compliance with the LGPD

The General Data Protection Law was expected to come into force in August 2020, but recently the Senate voted to postpone it due to the COVID-19 crisis. This extends the term a little more for Brazilian companies to adapt to the new law.

This Senate vote determines the date the law will come into force, but its supervisory body, called the National Data Protection Authority (ANPD), is the one who will define when the sanctions can begin to be applied. The approval of the Chamber of Deputies is still required, which should propose adjustments in the future.

The effectiveness of the new law implies that any individual, as a data subject, may request access to the processed data, exclusion or even the revocation of consent that had previously been granted.

According to Leandro Avanço, a researcher in the Digital Automation, Governance and Mobility Section (CIAM) of the Technological Research Institute (IPT), the relationship between the company and the LGPD supervisory body must be made by a single data professional, the Data Protection Officer. The DPO will be responsible for supervising changes within the company so that it is fully compliant with the new data protection law.

For those who fail to comply with the LGPD, the following penalties will apply:

A warning;

Fine of up to 2% of the billing of the legal entity in its last year of exercise (with a limitation of R $ 50 million per infraction);

Daily fine observing the limitation mentioned above;

Blocking of personal data;

Elimination of such personal data from the institution’s database;

Suspension or prohibition of treatment activity in these states;

Publication of the infringement.

10 questions to measure how prepared your company is for LGPD

To help your company verify how prepared it is to apply the new General Data Protection Law, here is a checklist:

Can you find your data?

Can you classify and protect your data?

Can you manage employee access to data?

Can you manage your test data?

Can you manage the applications that process your data?

Can you prevent abuse of privileged user accounts?

Can you balance the ease of accessing data securely?

Can you manage data in directories?

Are you able to clear unused user accounts?

Can you identify data leaks in real time?

