Many companies deal with data on a daily basis, be it to provide an ebook, new registrations on the site, purchases or promotions. Nowadays it is already common for users to leave their data while surfing the internet.
This data was protected by law n 12,965 of April 2014, which despite fulfilling its role in its early years, is no longer effective in ensuring transparency in the use of people's data.
The new law LGPD (General Law of Data Protection) regulates the treatment of data and information of people collected by companies, especially on the Internet, via forms. From collection to classification, processing, storage, and especially use and transfers.
The LGPD was based on the European GPDR law (General Data Protection Regulation), which was a necessary update to the 1995 European privacy law, shortly after the leaking of data without consent by giants such as Facebook.
If you have a business that deals with public information, it is very important to be in the know. The new law is expected to go into effect in the second half of 2020. All companies in Brazil will have to comply with the new rules. Non-compliance with the new requirements may generate penalties with fines of up to 50 million reais.
What changes with LGPD?
In Brazil, the new legislation comes to equal the country in data protection issues with the European and North American Nations, facilitating trade between countries, since data treatment on the Internet is similar.
As almost every company deals with some kind of data from customers and suppliers, the impact of LGPD will be broad and not necessarily directed to large corporations. In this way, the way personal data is collected will have to be treated in the same way by all companies.
To begin with, data can only be collected with the express consent of the data subject, who must be clearly informed about what will be collected, for what purposes, and whether the data will be shared. In addition, when minors are involved, the data can only be processed with the consent of their parents or legal guardians.
The sale and supply of data without consent is also prohibited. In the event of a change in the purpose of the data, the user can revoke his or her consent, as well as request deletion and correction of the data.
For data considered sensitive, concerning religious beliefs, political positioning, physical characteristics, health conditions, among others. The use will be more restricted, no organization will be able to use it for discriminatory purposes, and it will be necessary to ensure that it is properly protected.
In general, the LGPD seeks to protect the user from abusive and indiscriminate use of their data, ensure clear consent and allow the user to maintain or delete the data. Companies will only be able to request data that is actually necessary for the proposed purpose.
The new rules do not apply to data processed for academic, artistic or journalistic purposes, as well as those involving public security, national defense, protection of life and government policies. These cases will be dealt with by specific laws.
How does the law work for foreign companies?
Foreign companies are no exception, the proposal applies to operations in Brazil or in another country, as long as the data collection is made in Brazilian territory.
If necessary the company can transfer data to its branches or foreign headquarters, with the condition that the destination country has comprehensive data protection laws or guarantees treatment mechanisms similar to those required in Brazil.
What happens in the event of a data leak?
Data leaks or security breaches must be reported to the authorities in a timely manner, and the authorities will analyze the situation and indicate the next steps to be taken, as well as publicizing the situation to the press.
Who will oversee it?
The project foresees the creation of the National Authority for Data Prevention (ANPD), linked to the Ministry of Justice, which will supervise and ensure that the law is complied with among institutions.
A National Council for Personal Data Protection and Privacy will also be created, which will be formed by 23 representatives.
In addition, public and private institutions will have to appoint at least one person responsible for data handling within the organization. This person will be responsible for any communications and requests concerning personal data.
Many companies already use these principles in their data processing, but now it will be mandatory for everyone to stay within the parameters of the law.
The LGPD promises to bring much more security to citizens and keep them aware of what happens to their data. It will also reduce or nullify the use and transfer of irregular data.
If your company needs to adapt to the new parameters, we suggest to look for companies specialized in Data Protection to help in the treatment of these, whatever the size of the investment required, it will most likely be worth it, considering the fines for those who do not fit.
And if you want to learn more about it, you might like to know about our eBook "A Guide to LGPD or if you prefer, we have an introductory course on the subject, to enroll, just click here. click here!