With the implementation of LPGD (General Data Protection Law - Law No. 13.709/2018) which came into force on August 26, 2020, companies are required to adapt as soon as possible to the regulations established by Brazilian law. We present more details about the legislation in the post LGPD: your company at the forefront of data protection.
The rules for processing user data in order to protect and guarantee the security of data contained in digital and physical databases, classified as personal, sensitive and anonymized data, determine how data processing should take place. In this context, when carrying out data management, the company must take into account the principles set out in the LGPD (Art. 6):
- Purpose;
- Suitability;
- Necessity;
- Free access;
- Data quality;
- Transparency;
- Security;
- Prevention;
- No discrimination;
- Responsibility and accountability.
One of the main points when dealing with the processing of personal data (customers, suppliers and employees) is the consent of the data subject, i.e. the data subject (person who owns the data) authorizing the use of their data for the purpose for which it was collected, as well as the right of the data subject to modify or delete their information in the database. The purpose of the data collection must be clearly (explicitly) stated.
Failure to comply with the criteria established by the General Data Protection Law (LGPD) results in penalties ranging from warnings, fines of 2% of turnover, limited in total to R$50,000,000.00 (fifty million reais) per infraction, to partial or total suspension of the exercise of activities related to data processing.
It is important to note that the LGPD is applicable to any organization (from large to small companies), in all sectors.
Data processing
The General Data Protection Law considers the data processing process (art. 5, item X) as:
X - processing: any operation carried out with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction;
To carry out these operations, companies rely on the operator who processes personal data on behalf of the controller, while the controller refers to the person responsible for making the decisions regarding data processing.
What is a DPO?
The legislation provides for the appointment of a person in charge, called a DPO (Data Protection Officer), to help companies in their compliance activities.
According to the LGPD, the duties of a data controller are as follows:
Art. 41: The controller must appoint the person in charge of processing personal data.
§ Paragraph 1 The identity and contact information of the person in charge must be publicly disclosed in a clear and objective manner, preferably on the controller's website.
§ Paragraph 2 The foreman's activities consist of:
I - accept complaints and communications from owners, provide clarifications and adopt measures;
II - receive communications from the national authority and take action;
III - provide guidance to the entity's employees and contractors on the practices to be taken in relation to the protection of personal data; and
IV - perform other duties determined by the controller or established in complementary rules.
Paragraph 3 - The national authority may establish additional rules on the definition and duties of the person in charge, including the possibility of waiving the need for their appointment, depending on the nature and size of the entity or the volume of data processing operations.
What are the duties of a DPO?
In short, the DPO's duties consist of informing and guiding the other agents (operator and controller) and other employees/contractors about their activities and obligations under the LGPD.
The DPO is also responsible for monitoring the process and documenting it so that it complies with the criteria required by law. In addition, the DPO is the contact person who acts as an intermediary between the controller and the data subjects.
What are the requirements to be a DPO?
New to Brazil, the position of DPO requires knowledge in the areas of technology, cybersecurity and compliance, in addition to mastering new legislation.
The institute EXIN offers a qualification program that includes the three exams necessary to fulfill the professional requirements for working internationally as a DPO:
- Information Security Foundation (ISFS) based on ISO 27001;
- Privacy & Data Protection Foundation (PDPF);
- Privacy & Data Protection Practitioner (PDPP).
After completing these exams, the professional is certified as a DPO.
Lean Sales has a professional DPO - Data Protection Officer who is qualified and able to act in accordance with the rules laid down by the LGPD.