Antonio Cipriano

VP Cosin Consulting

In just over a year, the new General Data Protection Act (LGPD) will come into effect in Brazil with immediate effects in the pockets of those who do not comply. The conversations, in general, as well as the preparations, however, are still very superficial, not identifying the deep and diffuse reflexes that the new legislation will bring to the companies.

Sectors such as finance and, in readiness levels, even retail, are doing well, but areas such as health, for example, are still crawling. Imagine that you are going to do a simple exam and then the clinic doctor asks you to forward the results to a generic e-mail as "service@". How many people will not have access to it? Where and how will this data be stored and used?

The situation described above makes it clear that a simple "compliant/non-compliant" analysis is not enough or at least does not solve all the implications involved. To go deeper, it is necessary to recognize that the integral service to the new law has a multidisciplinary character that covers business strategies, processes, technologies, relationship policies and customer service, HR practices, employee attitudes and even corporate culture issues.

With this scenario, a consistent option for preparation is, as in the Administration and Accounting area, to perform a LGPD Assessment in the company to understand its current practices of data protection, what the new legislation is requiring and what is this "gap" between the two dimensions. In this analysis, we focus on three main aspects: business, legal and IT, taking into account not only the LGPD itself, but also the internationally recognized codes for information security and risk management.

In this work, the first step is to clearly identify which data of individuals the company stores, or has contact with. Their nature is also something to be studied, as the more sensitive the information, the greater the potential for damage and level of security required. We then move on to the analysis of the place or manner in which this data is stored, that is, in systems, e-mails, spreadsheets, contracts, notes, receipts, etc.

We then arrived at one of the main novelties of the LGPD, the evaluation or even design of procedures for obtaining consent of people to use the data. Here, the situation begins to get more complicated, because it is not enough to have the procedure to allow the use, the law requires that the company can later track how the data of people are used, who uses them, for what purpose and for how long. Soon, something complex that demands both IT systems, as processes, team training and even the creation of audit methods.

There is also an entirely new situation that needs to be addressed: effective procedures to ensure the right to remove personal data when so requested. At a superficial glance, it may seem something simple. But it isn't! Imagine the challenge of removing data from companies of national size, with several sales channels, databases, integration with suppliers and subsidiaries of the same group. Not to mention the most practical items: who will receive this request? In what way? What is the exclusion period? How is the 'owner' customer notified? In other words, it is a whole new activity inside the company that needs to be developed.

The company needs to prepare for an eventual leak of information. Besides the fines, the law foresees that this fact should be communicated publicly. Soon, the companies should have very clear: who takes care of the information, how the leaks are monitored, who composes the crisis team to take decisions quickly, among others. In parallel to all this, companies must re-evaluate contracts, both with suppliers and for the internal team, engage the team and properly communicate the changes to the public involved, defining which points should be addressed, by whom and within what time frame.

 All these issues require time, not only for adjustments, but also for the parties involved to agree on the necessary changes. This is the main reason for establishing a sense of urgency for actions towards the LGPD. The longer the company takes to get started, the less time it will have to adjust what is needed and have confidence in this necessary and inevitable learning curve.

 Administrative sanctions and fines are heavy and will apply from August 2020. Depending on the maturity of the company and the branch in which it operates, the changes and transformation can be enormous. LGPD can bury strategies/actions to attract customers to sell products and services and even make whole businesses unviable. For this reason, I recommend that this issue be on the main leadership agenda as soon as possible and do not lose your sense of urgency.

Article originally published in: