Want to know if your company is in compliance with the LGPD and don’t know where to start? Let’s start from the beginning.
After all, what is the GDPL?
The General Data Protection Law (GDPL) is a Brazilian law that regulates the handling of personal data in the country. It was sanctioned in August 2018 and came into effect in September 2020. The GDPL aims to ensure privacy and protection of personal data of individuals, regulating the activities of collection, storage, use, sharing and protection of such data.
The GDPL applies to all companies, organizations and public bodies that perform personal data handling in Brazil, regardless of their legal nature or place of operation. It also applies to foreign companies that perform personal data handling of individuals in Brazil.
Some of the main obligations of the GDPL include:
- Obtaining prior and express consent for personal data handling;
- Appointment of a data protection officer (DPO);
- Implementation of security measures for data protection;
- Clear and transparent information about the purposes of data handling;
- Individuals’ right to access, correct and delete their personal data;
- Notification of security breaches of data to the national authority and data holders.
It also establishes administrative sanctions for companies that do not comply with their obligations, including fines of up to 2% of the company’s gross global annual revenue. In addition, the GDPL is considered one of the most comprehensive and rigorous legislations in the world regarding personal data protection.
Compliance with the GDPL
To comply with the General Data Protection Law (GDPL), companies must follow certain steps, such as identifying the personal data that the company collects, stores and processes, as well as analyzing whether the collection, storage and processing of this data is in compliance with the rules established by it.
It is essential to implement security measures to protect personal data against unauthorized access and leaks, train the company’s employees about the GDPL and the appropriate practices for data protection and constantly review and update policies and contracts to ensure that they are compatible with it. Develop and implement internal data protection policies – the policies should be clear and easy to understand, covering the rules for collection, use, storage and sharing of personal data.
Another good strategy is to establish partnerships with specialized companies, as by working with specialized companies in data handling, the company can ensure that it is complying with the requirements and avoid administrative sanctions. It is important to monitor the activities of third parties that handle personal data on behalf of the company, to ensure that they comply with the requirements of the GDPL and ensure the privacy and security of personal data. This can be done by creating mechanisms for handling requests from data holders: the company must be prepared to handle requests for access, correction and deletion of personal data quickly and efficiently.
Perform a privacy impact assessment (PIA), which is a tool that helps identify and evaluate risks to the rights and freedoms of data holders, resulting from the handling of personal data and establish communication and notification protocols for data security incidents, to ensure that authorities and data holders are notified quickly in case of security breaches.
It is ideal to appoint a Data Protection Officer (DPO) to oversee the implementation and compliance with the GDPL in the company. Conducting regular audits is also a great way to ensure that the company is continuously complying with its requirements and identifying any update needs.
Compliance with the GDPL is a continuous process, and it is essential for companies to always be updated and complying with their obligations, to ensure the privacy and security of the personal data of their holders.
Feeling confused with the amount of information above? Here’s a simplified step-by-step guide.
- Identification of personal data: Identify all personal data that your company collects, stores and processes. This step includes identifying the sources of data collection and the purposes for which these data are used.
- Compliance analysis: Analyze whether the collection, storage and processing of data is in accordance with the rules established by the GDPL. Identify any areas that need to be corrected or adjusted to meet its requirements.
- Appointment of a Data Protection Officer (DPO): Appoint an employee responsible for overseeing the implementation and compliance with the GDPL in the company.
- Implementation of security measures: Implement security measures to protect personal data against unauthorized access and leaks.
- Employee training: Train your employees on the GDPL and appropriate practices for data protection.
- Policy and contract review and update: Review and update policies and contracts to ensure they are compatible with the GDPL.
- Regular audits: Conduct regular audits to ensure that the company is continuously complying with the requirements of the GDPL.
- Privacy Impact Assessment (PIA): Conduct a privacy impact assessment to identify and evaluate risks to the rights and freedoms of data holders, resulting from the handling of personal data.
- Communication and notification protocol for incidents: Establish communication and notification protocols for data security incidents to ensure that authorities and data holders are notified quickly in case of security breaches.
Remember that compliance with the GDPL is a complex process that may vary depending on the nature and scope of the company. It is recommended to seek the help of specialists in the subject to ensure that the compliance is done correctly and efficiently.