LGPD (Brazilian General Data Protection Law) undoubtedly changes the routine of Brazilian and foreign companies. The law determines that companies operating in Brazil have more attention when dealing with information and personal data. In other words, LGPD demands that companies be more transparent about the use of customer and user data, but not only that. It also stipulates rules that involve privacy and security.
LGPD will come into force in August 2020. As this is a new regulation, it has raised many questions, particularly from business owners and managers. With that in mind, we’ve created a list of practical tips so that you can adapt your business to the law smoothly and without major stress and headaches. Also because the fines for non-compliance with LGPD can reach more than USD 10 million per infringement committed. It’s a lot of money!
Which companies does LGPD affect?
Before we get to our list, let's answer this important question: which companies does the LGPD apply to? LGPD applies to any company that operates or does business in Brazil. All sizes are included: small, medium and large. Also all sectors are included, such as technology, finance, health and education companies.
By the way, this point has sparked a lot of discussions, as some experts see no sense in the law being equally valid for both large and small companies. In contrast, they suggest that the law should take more into consideration the volume of data collected, processed and stored.
One of the LGPD articles, however, opens a loophole in this regard. The article says that the law enforcement authority, called the National Data Protection Authority (ANPD), can edit different rules and procedures for micro and small businesses.
Check out tips for LGPD compliance
1. Understand the flow of information within your company
The first step towards LGPD compliance is to understand the flow of information and personal data within your company. That is, where, how, and what user, customer, partner, and employee data is collected, used, and stored.
A simple example. Your business is in healthcare. Patients fill out a form by hand with personal data such as name and telephone number. Then a company employee passes this data to a system on the computer. Finally, another person in the company, such as a doctor or an administrative assistant, may have access to this data. This is the beginning of the information flow. Your business needs something like this, but broader, more detailed and complete.
2. Choose a person to be responsible for the data
LGPD determines that companies create the position of DPO (Data Protection Officer). The law calls the DPO the “person in charge”. The DPO is the person in the company responsible for intermediating the data operation and processing.
Among the DPO's functions are, for example, guiding company employees on information security policy and acting as a communication channel between the company, data owners and also the data protection authority.
The law, however, says the ANPD may issue rules that dispense with the DPO, depending on the size of the company or the data processing volume.
3. Collect only information essential to your business
The law greatly reinforces the issue of essential data. This means that your company should only collect information that is really important to your business.
For example, LGPD finds it unacceptable if, when filling out a clothing store registration form, you’re required to share your ethnic background. Another example: some religions don’t allow blood transfusion. Under the law, the hospital or clinic should only ask if the patient agrees to have a blood transfusion; and not what his religion is.
4. Be clear about data usage time
An important concept that should be taken into consideration when dealing with LGPD is data processing termination. Under the law, companies need to define a data lifetime. That is, personal data processing must end, basically, when the goal set by the company has been achieved.
After this period, whenever possible, the information should be anonymized. This means it must be detached from its owner, so that one can never find out to whom such information belongs.
5. Adapt your website and any other data collection point
LGPD requires your company to be transparent. In practice, you need to make it clear to the user what your intentions are when collecting and using certain data. Also, he needs to agree with that.
Let's go to one more example. If you use different cookies on your website to collect any kind of user information, this needs to be very clear and evident, and you need to have the user's consent. Just using that typical phrase "By using this site you accept cookies" followed by an "Ok" button is no longer enough.
6. Create a communication channel with customers and users.
According to the law, customers and users are entitled to know how their information has been used and even demand a copy of it. In addition, they may require data to be deleted, edited and even anonymized, i.e. unlinked.
The company is responsible for fulfilling these requests at any time provided, of course, that there is no conflict with other laws and regulations. A simple way for your company to meet this point would be to make your DPO's contacts available.
7. In case of data breach, inform the authority and the data owners
In security incidents cases, the law states that the company must inform the national authority and the data owners. The notification must include different information, such as the types of data affected, the risks, and the measures being taken to mitigate the leak's effects.
8. Adopt attack and leak prevention and protection solutions
The law is very clear regarding information security. It requires companies to use technical and administrative measures to protect the data. That's why it's important for your business to prevent attacks and threats that may lead to a data breach. A good start would be to adopt an email protection solution, as email is today the main gateway for threats. It’s also important to think about protecting networks and computers, and restricting access to information.
9. Create a data protection impact report
There is an excerpt in the law that mentions a document called the Personal Data Protection Impact Report, which may be requested by the data protection authority. To be cautious and LGPD compliant, your company will need this document.
Basically, it's a set of the 8 previous points that we talked about here in this post. It's a descriptive document that addresses the flow and processing of information, including security measures, incident prevention, and risk mitigation mechanisms. We can describe it as a guide to your company's information security.
No, it's not easy to comply with the LGPD. You need to invest time and energy to understand and map the information cycle within your company. Our tips in this post are an interesting way to start. They give you a better idea of what needs to be done and how it should be done. Finally, as this is a complex law, consider having expert help. It's always better to be safe and in compliance.