The LGPD is already a reality on the Brazilian internet, the law came into force in August 2020 and many companies have already begun to adapt their online channels with the guidelines of the law. At this stage of implementation, it is normal to grow the concern in framing the new legislation in the company's data treatment process.
To make it easier for you, we have brought the principles of the new law in a journey that will simplify the process of setting up your company's data treatment of your company and even help you to recognize good conduct and bad practices on a daily basis.
What data is it based on and what will it be processed for?
It will no longer be possible to process personal data for generic or undefined purposes.
Each piece of information must be collected for specific, legitimate, explicit purposes and informed to the holder about its use. In addition, the company will not be able to change the purpose during processing.
This principle fits into the first step of your LGPD journey which is to take an inventory of the data your company has access to, why it is in your database, and whether it should continue.
Principle of Adequacy
Is the use of the data compatible with the purpose?
When the company does collection of personal datathe purpose must be informed and be compatible with the treatment that this data will have.
This principle became necessary because some companies collected data that often was not compatible with their performance in the market. This data was sold to other companies that were interested in the information, and the user suffered the consequences with unwanted telemarketing calls, direct mail, and other cases.
It fits in the step of classifying and identifying adherence to LGPD if the stored data is still used for the purpose it was collected.
What processing is necessary to fulfill the purpose?
In general, companies should only use data that is strictly necessary for their purposes, and provide legitimate reasons documented in reports.
This principle is also linked to the step of classifying and identifying adherence to LGPD, so you should keep in mind to weigh what is really essential to the business and what is convenient, so it is easier to adhere to the new legislation in the company's processes.
Are there adequate technical measures to protect the data?
Each company will be responsible for seeking procedures, means and technology that guarantee the protection of personal data from access by third parties and invasions by hackers.
Today in the market there are information security companies that make the efficient and adequate management of data.
Measures for accidental situations such as destruction, loss, alteration, communication or dissemination of the data should be on the agenda at this stage of adapting processes and security systems.
Are there preventive measures to keep data secure?
Adopting previous measures that avoid occurrences of damage in data handling is essential.
Companies that want to adapt their processes to the LGPD must have actions in place before problems arise and preferably avoid them. This is why auditing your site is so important (link to article on site auditing) and keep your customers' data from harm.
The principle of accountability
How to make the company aware of the importance of privacy?
It is essential that the company fully complies with the law, moreover, they should get into the habit of documenting evidence of all measures taken for data protection and processing. This demonstrates not only respect for the law, but transparency with their customers.
Training with the staff, hiring consultancy, the use of systems and processes that ensure data security are proof that your company cares about privacy, and they need to have easy access to the data holder whenever needed.
The awareness step is extremely important for this type of process to be taken as part of the company's culture.
Principle of open access
How to prove to the agency and to the data owner that you adhere to the Law?
This point shows how the control of the titular users is much greater with the new law. The person who chooses to leave his personal data with the company has the right to consult, in a simple and free way, all the data that the company has about him, as well as the purpose for which it will be used.
Questions must be specified about the treatment that will be carried out and for how long the company will have possession of this data. In addition, the data subject has the right to request the deletion of dataIn addition, the owner has the right to object to the processing, or even to changes being made.
This principle is a fundamental part of the last stage of adequacy; it is part of the management and fulfillment of the rights of the data subjects and should be the principle that brings the most changes compared to the old data protection legislation.
Data Quality Principle
How can data subjects be guaranteed consultation about their data?
The quality of the data is closely linked to the need and purpose of its processing. The information must be true and relevant to the processes of the company that will process the data and available to the data subjects for consultation.
The principle of transparency
How to ensure the accuracy of the data?
Transparency is something that needs to be a priority in a company. Thus, all information passed on by the company must be clear, accurate, and truthful.
A simple way to conform to this principle is through consent messages where you can communicate to the customer about the information your site has access to and whether they agree to share it.
This principle is closely linked to sharing data covertly, a practice that many companies engage in and is not well regarded.
So choose to ensure that your customer knows exactly what is done with his data, if the data collected is handled by a third-party company, your customer needs to know.
Principle of non-discrimination
How to accurately report the processing done with the data?
In the LGPD there is data categorized as sensitive, which is nothing more than information relating to an individual about his or her ethnic origin, religious conviction, political opinion, health-related, genetic, or biometric data.
This data may in no way be used for economic advantage or shared between data controllers without the consent of the data subject.
The new principle is intended to reinforce that although sensitive data is often used to discriminate against or abuse the data subjects, it is inappropriate.
To understand a little bit, imagine a company that works with watches that measure the heart rate of its users, and sells or shares this data with a health insurance company. When the cardholder looks for a health plan, the company that had improper access to the data will have health history on hand and may or may not take economic advantage of it.
Because of frequent practices like this in the market, it has become necessary to ensure that sensitive data has stricter criteria for handling.
If you are curious about how a data protection tool works, our consultants can explain each step. Please contact us.