Have you ever heard of LGPD law and that it changes behind the scenes of the internet in terms of data protection.
But do you know how this directly affects you and your business?
What is LGPD?
The General Personal Data Protection Act (LGPD) is a law that regulates how Brazilian consumer data is treated by companies both physically and digitally.
She was born inspired by European Law General Data Protection Regulation (GDPR) to unify the way in which data are treated, since before there were several laws that regulated the subject on a specific basis.
Thus, the law has tools that require more transparency in the sharing of data, both by private companies and public companies.
In practice, it's how companies manipulate the data (sensitive or not) of users that are shared in registration for use. And the user's consent to accept or not to accept a company's terms. After all, the data belongs to him and he may want to share it or not.
What is data?
Personal data is any information that can identify a person, such as:
- name;
- RG number;
- CPF;
- address;
- marital status;
- date of birth;
- e-mail;
- telephone number.
In addition, the LGPD recognizes as indirect data information that, analyzed together with other information, can identify a person.
Sensitive personal data, on the other hand, lgpd sensitive data, are those that, depending on the context used, can generate discrimination or prejudice, such as:
- racial or ethnic origin;
- religious conviction;
- political opinion;
- union membership;
- affiliation to a religious, philosophical, or political organization;
- health or sexual life data;
- genetic or biometric when linked to a natural person.
And that type of data is more protected also by the LGPD.
Formerly, this data was sold by registration companies for direct mail and active marketing, but today it goes beyond data such as social security number, name and address.
Data is used to improve social media algorithm experiences and find the best content for your profile, that is, sell to those who really want to buy.
But not everything is easy when it comes to manipulating third-party data, including because it is a major responsibility for user security issues.
What happens when a celebrity has their phone leaked or their address exposed?
She needs to change her phone or house for safety reasons.
The same is true with virtual data, only on a much larger scale..
When a data leak occurs from a company like Facebook, which controls several popular social networks and facilitates logging into various sites, millions of people have their information exposed.
The LGPD was boosted by data leak scandals from companies that concentrate information from several users around the world, such as Facebook, Who recently had a leak of more than 500 million personal data of users of the social network.
This may even increase the number of online frauds.
Who does the General Data Protection Act apply to?
Law No. 13,709/2018 will be applicable to companies and individuals that process and manipulate personal data in the national territory, that sell products or services in Brazil, and that the data processing has taken place in the country.
It is important to note that the LGPD does not apply to data coming from and destined for other countries and that only passes through Brazil and is used for personal and non-commercial purposes.
Who are the people involved in the LGPD?
The LGPD establishes people involved in the protection of this data, so we have the following people:
Headline: is the person to whom the data belongs.
Controller: who has the decisions regarding the treatment of users' personal data.
Operator: who manipulates and treats the actual data in accordance with the controller's guidelines.
Responsible person: that person (natural or legal entity) that makes the connection between the company, the data subject and the national data authority, which is a government body designed to regulate the way in which companies manipulate data and the risk.
Treatment agents: the person who treats the data, including the controller or the operator.
Finally, it's not a person involved, but it's important to clarify that The treatment It is any action performed such as data, for example, processing, distribution, storage, deletion, etc.
Where does the LGPD apply?
This law does not apply only to Brazilians, it applies to everyone who is in the national territory. In other words, foreign companies that are in the national territory need to adapt.
In addition to the LGPD, the Brazilian law of 2018, there are other laws around the world, such as the General Data Protection Regulation (GDPR) of 2016.
This demonstrates a worldwide alignment with respect to democracy and the user's right to choose whether or not to share personal and sensitive information and how that data will be used.
Does LGPD come into force?
Law No. 13,709/2018, that is, the LGPD, should come into force on August 16, 2020. But a bill (PL 5762/2019) is currently pending, which aims to postpone the validity of the law to August 15, 2022.
This project is still in progress and its last movement was on March 10, 2021 at the Constitution and Justice and Citizenship Commission (CCJC).
So, as of this date, companies need to explain what they are going to use the data for and how they are going to treat it to users, giving more transparency to the process.
Is there a fine for violating the LGPD?
The LGPD is a regulation of the way in which the company uses data and the consent of the data subject.
For example:
A doctor's office must request information for the patient: full name, contact number, insurance wallet number, social security number, etc.
And after that, the customer magically begins to receive marketing messages without authorization on WhatsApp.
In addition to a violation of WhatsApp policies, there is an infringement of the LGPD.
Failure to comply with the General Personal Data Protection Act may result in the application of penalties such as:
- warning;
- blocking or deleting personal data processed in violation of the law,
- suspension or prohibition of the exercise of treatment activity for a period of up to 6 (six) months;
- fines of up to R$50,000,000.00 (fifty million reais).
Does the LGPD apply to any company?
It doesn't matter if you have a neighborhood bakery or a multinational company, you need to have someone take care of your data internally (even if they are written on bread paper) and the way in which they are treated.
Of course, the biggest sanctions and problems will occur with million-dollar companies, such as banks, but that doesn't stop ANDP from getting to you.
And the penalties may take a little longer to apply, because, at the moment, it is still in the process of creating and appointing the positions of the National Authority for the Protection of Personal Data (ANPD), the body that oversees the LGPD.
So...
Why are banks already advertising on TV about LGPD if there is still no penalty?
Because those who are already adequate or show good faith in starting the process (after all, the deadline for the law to come into force has already begun) are favored by the inspection.
Let's think of 2 scenarios:
João is an average student who took 5 minutes to do a choice assignment. This paper is full of errors in Portuguese, has problems with layout, and has flaws in the content. After all, it took him very little time to do that job.
Maria, also an average student, dedicated herself. She started doing the job as soon as the teacher stopped by. He wrote, read, looked for safe sources, made several grammatical and content revisions, and looked for the best images to highlight the good content even more.
Who do you think did a better job?
The same thing happens in the LGPD, those who start earlier have more time to adapt and create a work routine with the appropriate positions, tasks, etc.
In the specific case of banks (which will probably be the first to suffer any sanction in case of problems with the LGPD), they have a structure and ways for slower changes, as they are huge institutions.
So it makes sense to pioneer adjustments.
Then it's time to move on.
Be careful to look for someone specialized in the LGPD, or train someone from within your company and be sure that you are already beginning to adapt to the new General Data Protection Law.
The best time to start was yesterday, today is the second moment.
Come on, hand in the dough!