General Personal Data Protection Act, is your company prepared?

By Dr.Tis on 18 of November of 2019
General Personal Data Protection Act, is your company prepared?

Law 13,709 known as the General Personal Data Protection Act (LGPD) was passed in August 2018 and entered into force in August 2020.

But do you know what this law says and how it affects your business?

Just over a year ago, President Michel Temer sanctioned the LGPD, and since then, this issue has taken many companies to sleep.

Fact is that the security of customer data has become the responsibility of companies that in turn, in addition to protecting, was prohibited from marketing and sharing this data.

With the sanction of the LGPD, Brazil passes a number among countries that have a specific law for protection of user data, being influenced by the GDPR (General Data Protection Regulation), data protection law sanctioned by the countries of the Union. 2018, it is noteworthy that a GDPR serves as a model not only for Brazil, but for other countries adopted as rules or reinforce as already vigorous in their territories.

According to a new law, as per the control rules enforced by the maximum security rules for data protection, storage, processing and sharing policies, risk of penalties applied between 2% of available company revenues up to 50 million.

What does an LGPD say?
In the same vein as the European regulation, an LGPD changes the way the rules control settings defined, collection, storage, processing and sharing of personal data operate, imposing a higher standard of protection and penalties for those who do not comply. standards.

The law understands that personal data are those that identify the people who use the information collected and the processing of data is any action taken with that information, such as: collection, processing, categorization, classification, use, storage, sharing, sharing, selection, among others.

With regard to data processing, we highlight two hypotheses that make this action by companies:

Providing Consent: The data owner must state their willingness to continue the relationship with the specified company;

Legitimate driver interest: Allows the processing of personal data for legitimate fins caused by concrete situations.

This is one of the most questionable and debated points of LGPD, as it can be interpreted to allow the driver to perform behavioral actions and direct their advertisements. In France, for example, a French National Data Protection Commission (CNIL) fined Google 50 million euros for understanding that a company conducts behavioral testing of its users and uses unsubstantiated targeted end products.

The law also determines some principles that must obey, here we highlight four of them: adequacy, use, necessity and transparency. These principles are a warning sign in companies that accumulate data unplanned, an LGPD is totally against these habits and that companies maintain immediate interaction with the data owner and that the collection is done in a planned, appropriate and purpose-driven way. determined.

Profiles involved in LGPD
Holder: Individual who owns personal information

Controller: Agent (company or individual) responsible for planning, handling, storing and storing collected data. It is who makes all decisions regarding the holder’s information.

Operator: Company or individual who is usually hired by the driver to perform the data processing and processing work.

Uploaded: This profile created by law (individual or corporate) will be the communication channel responsible for disseminating a company data processing policy to employees who have seen or comply with LGPD. In addition, the authorized person will have direct communication with the National Data Protection Authority (ANPD), the body responsible for editing LGPD-related standards and enforcement.

LGPD In Health, What Care Should You Take?
In the area of ​​health, in addition to personal data, on days off with whom LGPD is referred to as incoming data referring to: racial or ethnic origin, religious belief, political opinion, affiliation and appointment or organization of religious, philosophical or health or sexual life data, genetic or biometric data, when linked to a natural person ”, this information deserves special attention in the treatment and storage, which is why we list some points of attention that should have in the handling of this information. :

Collection Policy
Why are we requesting the data
What data are we requesting
Where will this data be stored (local server, cloud) secure?
How long will this data be available?
Will backups be made? How often ?
What measures will be taken where they are leaked?
Who will be involved?
Compliance Policy for Data Collection, Treatment, and Storage
Procedure Routines
Team training.
The General Law on Personal Data Protection (LGPD) is a reality and has emerged to stay, must maintain actions so that we are not caught by surprise.

This article aims to inform and disseminate the importance of adapting this new scenario, if in doubt always consult a lawyer you trust.