Data is one of a company's main assets in the digital/technological age, used for various purposes from making purchases and registrations to segmenting customers based on identified profiles.
However, with the expansion in the volume of data and business, the exposure of individuals' personal data without their consent has become uncontrollable, which has led to an urgent discussion about the limits between business strategies and the invasion of privacy.
One of the most high-profile data leaks on the international scene was by Facebook when it leaked the passwords and data of 540 million of its usersand the use of the information of more than 50 million users without their consent by the American company American company Cambridge Analytica for political reasons.
In addition to the negative impact on the company's image, along with distrust and loss of users, data leaks lead to lawsuits and significant costs for companies. The study "Cost of a Data Breach Report 2019" carried out by IBM reveals that the cost of a data breach is US$3.92 million on average. In Brazil, the average cost of a data breach is US$1.35 million. The study also shows that it takes 250 days to identify a breach and 111 days to contain it.
The scandals surrounding the leaks of user data from large corporations have turned the attention of users and companies to the following question: how do we protect personal data and prevent breaches?
To curb the use of data without users' consent, the LGPD (General Data Protection Law - Law No. 13.709/2018) as a measure to ensure data privacy and security.
Inspired by the European Union's GDPR (General Data Protection Regulation), the General Data Protection Law (LGPD) in Brazil was approved on Wednesday (August 26, 2020) by the Senate, removing Article 4 of Provisional Measure 959/2020, which had put the legislation into effect until January 1, 2021. As a result, the law came into force on August 27, 2020.
Understand some of the terms used in the General Data Protection Act:
- Personal dataInformation that makes a person identifiable: name, ID, CPF, gender, date and place of birth, telephone number, address, etc..;
- Sensitive personal datadata concerning racial or ethnic origin, religious conviction, political opinion, membership of a trade union or religious, philosophical or political organization, data concerning health or sex life, genetic or biometric data;
- Anonymized dataAnonymized data: relates to a data subject who cannot be identified;
- DatabaseStructured collection of personal data;
- Data subjectPerson to whom the data refers;
- ControllerPerson who has the power to make decisions regarding the processing of personal data;
- OperatorPerson who carries out the processing of personal data on behalf of the controller;
- Data ControllerPerson appointed by the controller and operator to act as a communication channel between the controller, the data subjects and the National Data Protection Authority (ANPD);
- Personal data protection impact reportThis is the controller's documentation that contains a description of the personal data processing processes that may pose risks to civil liberties and fundamental rights.
Fundamentals
The basis (Art. 2) of the LGPD was built on the following foundations:
I - respect for privacy;
II - informational self-determination;
III - freedom of expression, information, communication and opinion;
IV - the inviolability of privacy, honor and image;
V - economic and technological development and innovation;
VI - free enterprise, free competition and consumer protection;
VII - human rights, the free development of personality, dignity and the exercise of citizenship by natural persons.
Sanctions
THE ANPD (National Authority for the Protection of Personal Data) will monitor compliance with the LGPD and penalize any irregularities found, as well as providing guidance and regulating the application of the law in a preventive manner.
In cases where the processing of data by companies does not comply with the rules established by the LGPD, the following punishments will be applied (art. 52):
I - a warning, with a deadline for the adoption of corrective measures;
II - a simple fine of up to 2% (two percent) of the turnover of the private legal entity, group or conglomerate in Brazil in its last financial year, excluding taxes, limited in total to R$ 50,000,000.00 (fifty million reais) per infraction;
III - a daily fine, subject to the total limit referred to in item II;
IV - publicizing the infraction after it has been duly investigated and confirmed;
V - blocking the personal data to which the infringement refers until it is regularized;
VI - deletion of the personal data to which the infringement refers.
LGPD: your company at the forefront of data protection
Companies must adapt to the rules established by the LGPD, taking into account two extremely important points that concern the purpose for which the information is being collected, i.e. clearly specifying the reason why the user's data is being collected.
Another point is the user's consent to provide and also their right to change (delete or modify) the information in the companies' database.
Companies will be responsible for the entire operation carried out with personal data, from access (registration) to use (the act of using data), prioritizing data protection and the three security principles: reliability (ensuring that data is not exposed to risks), integrity (commitment to keeping data correct and up-to-date) and availability (free access by users).
Data must be processed in accordance with the principles of the General Data Protection Act (Art. 6):
I - purpose: processing carried out for legitimate, specific, explicit purposes and informed to the data subject, without the possibility of further processing incompatible with those purposes;
II - adequacy: compatibility of the processing with the purposes informed to the data subject, according to the context of the processing;
III - necessity: limitation of processing to the minimum necessary for the fulfillment of its purposes, covering data that is relevant, proportionate and not excessive in relation to the purposes of the data processing;
IV - free access: guarantee to data subjects of free and easy consultation on the form and duration of processing, as well as on the completeness of their personal data;
V - data quality: guarantee to data subjects that the data is accurate, clear, relevant and up-to-date, in accordance with the need and for the fulfillment of the purpose for which it is processed;
VI - transparency: guaranteeing data subjects clear, precise and easily accessible information about the processing and the respective processing agents, with due regard for commercial and industrial secrets;
VII - security: the use of technical and administrative measures to protect personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication or dissemination;
VIII - prevention: adoption of measures to prevent the occurrence of damage as a result of the processing of personal data;
IX - non-discrimination: the impossibility of carrying out treatment for unlawful or abusive discriminatory purposes;
X - responsibility and accountability: demonstration by the agent of the adoption of effective measures capable of proving compliance with personal data protection rules, including the effectiveness of these measures.
In order to manage information, companies must carry out a mapping exercise to identify the volume of data and the number of users. The law stipulates a person in charge of carrying out personal data processing activities, called a Data Protection Officer (DPO).
The General Data Protection Act is applicable to any company, regardless of its size or line of business. The rules apply to both virtual and physical data, so dispose of data correctly so that it cannot be recovered or identified.
In addition to customer data, the LGPD also covers the personal information of suppliers and employees.
As a result, your company guarantees the security of its users' data with transparency and reliability, as well as protecting the company from possible irregularities and punishments.
A Lean Sales is a company that is responsible with the processing of its users' data. In addition to offering this service to its partners with operations that take into account the criteria established by the General Data Protection Act. We guarantee the highest level of care and security by our professional DPO (Data Protection Officer).