General Data Protection Law: is your company ready?

Tatiane Bagagí Faria
Lawyer at Marcos Martins Advogados

The General Data Protection Law – LGPD (Law No. 13,709), of August 14, 2018, is scheduled to come into force in Brazilian legislation in August 2020 and aims to regulate the protection of personal data. As this is an innovation in Brazilian legislation and is directly linked to the technological sphere, it is common for questions to be asked about the purpose of the data protection law and its practical impacts on the daily lives of citizens and companies.

First of all, it is important to highlight the legislative intention in enacting this law. The ultimate aim is to guarantee the right to privacy[1] of an individual’s personal data, which is nothing more than the set of distinct pieces of information that can lead to the identification of a specific person. On a secondary level, the LGPD aims to establish rules for companies that store and collect data and also to foster technological development in an increasingly digital society.

Secondly, the most obvious question is in relation to the law’s impact in practice, i.e. the effects it will have after it comes into force, especially in the corporate sphere of companies that collect and process personal data in their activities.

In this regard, it is important to note that the LGPD[2] presents specific rules that must be implemented in the corporate sphere in order to change the mindset of companies and achieve the effectiveness of the law with regard to the protection of sensitive data of the community. Article 46 of the LGPD[3] stipulates that data processors/collecting companies must adopt security measures to protect personal data from unauthorized access.

It is important to clarify that the LGPD does not only target multinationals that are prominent in the technology sector, but any company that carries out basic operations involving the collection, use, processing and storage of personal data in its business activities will be subject to the effects of the law, even if such conduct is carried out outside the digital environment.

This means that a small business that collects and stores personal data for customer registration purposes, whether in a computerized system or offline, must adopt appropriate measures to protect the information collected. Nonetheless, transparency in access to information is another guideline of this law that has great relevance in corporate practice, since the individual has the right to know, in a clear and simple way, the procedure for obtaining, storing and sharing their data.

Considering the guidelines of the LGPD, companies in general must be attentive to, in addition to behavioral change, making adjustments to data processing and investing in infrastructure capable of making the collection and storage of personal data secure, thus avoiding the threat of personal data being leaked or information being exposed that causes harm to individuals.

Even though the law is not yet in force, it is essential that companies adopt, from now on, internal conduct aimed at implementing practices compatible with the LGPD, such as, for example, managing and evaluating the data collected and analyzing how this data is handled internally, in order to verify the measures that could be adopted in the future in order to bring business activity into line with the guidelines of the legislation. Another key point is the sharing of personal data with third parties, since the individual’s prior consent is essential for the company to be able to share personal information.

The LGPD even provides for administrative sanctions for non-compliance with data protection measures, as stipulated in article 52 of the law, ranging from a warning and the deletion of personal data relating to the infraction to the imposition of a pecuniary fine, which may be based on the legal entity’s turnover.

In view of this, it is extremely important for companies to be prepared for the entry into force of the law, in order to avoid the application of such penalties and at the same time be able to keep up with legal innovations in the technological field.

Is this subject of interest to you? The team at Marcos Martins Advogados has extensive experience in providing legal advice to companies of all sizes, and is qualified to deal with all demands aimed at guaranteeing your company’s maximum performance. Contact us.

[1] Article 5, item X, of the Federal Constitution: the privacy, private life, honor and image of individuals are inviolable, with the right to compensation for material or moral damage resulting from their violation being guaranteed;

[2]BRAZIL. Law 13.709, of August 14, 2018. Provides for the protection of personal data and amends Law No. 12.965, of April 23, 2014 (Marco Civil da Internet). Available at http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htm

[Art. 46: Processing agents must adopt security, technical and administrative measures to protect personal data from unauthorized access and from accidental or unlawful destruction, loss, alteration, communication or any form of improper or unlawful processing.

Share on social media