General Data Protection Law: what you need to know to comply with the legislation.

Enacted two years ago, the General Data Protection Law (LGPD) was supposed to come into effect this week. However, it is now expected to take effect in January of next year. COVID-19 has literally put the new legislation in limbo. An agreement between the federal government and the National Congress may decide the future of Provisional Measure 959/2020, published in April by President Jair Bolsonaro, which defines details of the payment of aid during the pandemic and determines the postponement of the LGPD.

Meanwhile, companies and institutions that handle citizens' personal data need to adapt to the General Data Protection Law (LGPD), even though its effective date is indefinite. “In recent weeks, we have observed that, while browsing the internet, websites and applications are requesting our consent for the use of this information. But most are not ready for the LGPD, and research indicates that almost 20 percent of managers don't even know what it is about,” points out lawyer Luiz Paulo Germano, who works in the area of Compliance. To assist his clients, he felt the need to develop a manual with procedures, adaptations, and risks associated with the new law's implementation.

In other words, if you're lost on this subject and still don't know what it's about, you're not alone. The General Data Protection Law seeks an environment of legal security, with the standardization of rules and practices regarding the personal data of every citizen within Brazilian territory. With clear rules and a regulatory body – the National Data Protection Authority (ANPD) – the law will affect relationships between customers and suppliers of products and services, employees and employers, national commercial relations, as well as other relationships in which this information about a person is collected.

Lawyer Luiz Paulo Germano explains that all companies and institutions must comply with the LGPD (Brazilian General Data Protection Law), as the sanctions are severe. The fine for a data breach can range from 2% of revenue up to 50 million reais per infraction. The text does not specify whether the authority will consider the non-compliance as a single infraction or as a separate occurrence for each affected user, which could substantially increase the fine limit. Furthermore, damage to the company's image can lead to even greater losses.

Five key points to understand the LGPD:

1. Any and all collection or sharing of data must be consented to by the data subject. Without authorization, it cannot be done!

2- Data refers to personal information typically used for registration. Texts and photos posted on social media can also be protected!

3- There is a special category of information, classified as "sensitive data." This includes, among other things, records of beliefs, race, political opinions, genetic information, and health conditions.

4- The processing of data from children and adolescents may only be carried out with the authorization of their parents or guardians.

5. Companies and corporations must request consent from data subjects in a clear and precise manner, justifying the purposes.

The rules apply to physical data as well, not just data that's online. In other words, even self-employed professionals who keep client or patient data in databases that never leave their office or practice will have to take steps to comply. "A simple WhatsApp conversation could be considered a data breach, depending on its content. If an establishment requests my CPF (Brazilian tax identification number) in exchange for a discount and I agree, the data can only be used for that purpose," explains Germano.

What is the difference between data theft and data leakage?

These two situations can occur when a company, institution, or professional holds the personal data of third parties. A data breach is when this information is misused and "leaked" for purposes other than those previously agreed upon, such as for business partners to sell a product or service. Theft occurs when vulnerable company systems are invaded and hacked so that user data can be stolen, usually for crimes such as credit card cloning, identity theft, etc.

Why is a law necessary for this?

When you share any personal information, you need to be sure that this data will not be misused. In 2019, at least 24 billion attempted cyberattacks were recorded in Brazil, according to Fortinet, a multinational internet information security company. This year, in the midst of the pandemic, the Rio Grande do Sul State Security Secretariat confirmed a 35.8% increase in scams, mainly in the digital environment.

In April, the video conferencing platform Zoom had to deal with the leak of data from more than 500,000 users. In July, Twitter accounts were hacked. The trendy app, TikTok, may be banned in the United States due to the lack of a clear information protection policy and the successive scandals involving data theft.

Germano emphasizes the importance of the LGPD (Brazilian General Data Protection Law) in this scenario. According to him, we could say that the legislation will govern the lives of people and organizations in the new era, as it deals with sensitive information for individuals that is increasingly exposed on channels where it is very easy to lose control over it. And as the saying goes, "data is the new oil," this information is very valuable.

“Today, smartphones hold all of their owner's private data. Bank accounts and passwords, daily movements, address, schedules, routines, even family members, communication partners, heart rate, and the number of steps taken. This data belongs only to that person. The responsibility of whoever holds this information is extreme,” he adds. Furthermore, it's a matter of survival for those who want to stay in the market. “Consumers are increasingly demanding and choose who to entrust their information to. Would you entrust your life to someone who isn't prepared to take care of it?” asks Luiz Paulo.

By Luiz Paulo Germano