what to do and what not to do

The LGPD (General Law for the Protection of Personal Data) is one of the current business challenges of digital transformation, after all, personal data is one of the main assets of today. To be in compliance, companies will have to consider the privacy of their employees and customers, in addition to adapting their systems and processes to this new culture.

The company can begin its preparation by strengthening the information security of the main systems that handle personal data, thus reducing the risk of leakage. With this prevention, harmony with the principles of safety and prevention, present in the LGPD, will be guaranteed. It is worth remembering that it is necessary to build, in parallel, an incident management procedure to quickly fulfill obligations and mitigate impacts.

On the other hand, it is important to make available policies, privacy notices and a service channel so that holders can be informed and request corrections, deletion of data and exercise other rights. Whether on websites or institutional forms, everything needs to be transmitted objectively. The LGPD lists transparency as a key principle for compliance and this is reflected in giving people information and access.

Challenges arising from the law

According to Bruno dos Santos and Tainã Dias da Silva, both from ICTS Protiviti’s Data Privacy area, one of the main challenges is to guarantee potential customers the option of managing their preferences and, at the same time, controlling the use of their data. Depending on the volume of holders involved and the business segment, it is recommended to evaluate the use of a privacy software to support the management of consent for marketing and communication actions. In this sense, the LGPD is a milestone for companies to strengthen a relationship of trust and respect, and communication that does not invade people’s privacy is essential.

Another point to consider on this journey is the inclusion of privacy and data protection in corporate risk monitoring. In 2020 alone, more than 8.4 billion cyber attack attempts were recorded in Brazil, according to a report released by FortiGuard Labs, and in 2021, we witnessed cases of mega leaks of personal data, numbers that underscore the importance of monitoring the risks of privacy, as neglecting it can result in contractual and reputational damages, in addition to financial and administrative penalties applicable as of August 1, 2021 by the ANPD (National Data Protection Authority) administrative body.

Part of this risk may be related to sharing data with third parties and business partners. Therefore, clearly identifying which third parties process personal data, adjusting contracts and agreements, guarantees protection and limitation of the purpose and use of this information, preventing risks from materializing. As a suggestion, you can choose to create a specific procedure for carrying out due diligence.

In addition to applying the measures mentioned, it is necessary to pay attention to what should not be done, such as, for example, thinking about privacy as something fleeting. Data protection is an offshoot of business virtualization, that is, privacy must be thought of as part of governance. When a company fails to assign privacy roles and responsibilities to key business areas and does not appoint a data steward, the impacts can be considerable on the organization’s trust and sustainability in the short to medium term.

In this sense, setting up multidisciplinary teams to deal with the topic and evaluate the hiring of a specialized consultancy can be a great differential. Seeing the need to adapt to the LGPD as an opportunity to review processes, improve technologies, map risks and address solutions is a way to build a future based on a present obligation.

Source: Bruno dos Santos and Tainã Dias da Silva, from ICTS Protiviti