In September 2020, the General Data Protection Act came into force. Law that regulates the way companies capture, store and work with their customers’ data.
This new law is designed to make companies work in a more professional and transparent way when it comes to retaining and storing information.
Nowadays, people are much more aware of how companies handle their data, as the number of cybercrimes has increased significantly in recent years. Companies had to adapt.
Brazil, for example, suffered more than 88.5 billion attempted cyberattacks in 2021, an increase of more than 950% compared to 2020 (with 8.5 billion), according to Fortinet.
Transparency is needed from now on. Anyone who fails to comply with the laws will receive a warning for the first time, which can escalate to a fine and other punishments, which are very heavy to inhibit this type of illegal practice.
To ensure that this law is complied with, the ANPD (National Data Protection Authority) was created. With the task of monitoring and disclosing how personal information and data is circulated and used by companies, in other words, enforcing the LGPD.
🔵What does the LGPD law say?
The General Personal Data Protection Law (Law no. 13,709, of August 14, 2018) was approved in 2018, but due to some postponements came into force on September 18, 2021. It represents a historic milestone in the regulation of the processing of personal data in Brazil, both in physical media and on digital platforms.
In addition to changing the way private institutions collect, store and make available user information, the LGPD is also aimed at public institutions – so it must be followed by the federal government, states, the Federal District and municipalities.
Basically, the LGPD serves to guarantee people’s right to privacy. Ensuring that databases and data do not circulate freely without control.
🔵EXAMPLE
You’ve probably already received an SMS or Whatsapp from a business you’ve never visited, haven’t searched for on Google and perhaps haven’t even contacted.
However, you have probably registered with a partner of this establishment, which has shared its membership base. As a result, your data ended up reaching this establishment, which started sending you messages and offers.
This type of illegal practice will not be allowed. This goes for the election period, (receiving spam from a candidate you don’t even know exists), HR companies that use candidate data to obtain medical data without authorization (even before hiring or asking about it), is totally illegal.
Companies will now have a series of obligations, starting with stating “why?” they are collecting this data and what use it can be put to.
The fine for misuse of information can be up to 2% of the company’s total turnover, the database can be suspended and the company’s activity can be paralyzed.
10 Principles of the LGPD
- Purpose: it is only permitted to work with customer data for legitimate, specific, explicit purposes informed to the data subject. Without the possibility of further processing incompatible with these purposes.
- Adequacy: the use of data must be compatible with the purposes informed to the data subject, according to the context. Even if it’s in the terms of use or privacy policy, if it doesn’t match the specific purpose of that data, it’s already illegal in itself.
- Necessity: only ask for your client’s data if it is necessary, and only keep it for as long as you need it.
- Free Access: all customers need to know what data the company has on them, and a place where this data can be accessed at any time by them.
- Data quality: the customer needs access to update, complete or delete data that no longer makes sense to them. The terms of use and privacy policy must be easily accessible after acceptance, for any type of subsequent consultation with the right to revoke at any time.
- Transparency: the customer must be informed what data is being collected, and if there are any data leaks, the customer must be informed immediately.
- Security: personal data must be processed in such a way as to guarantee appropriate security and confidentiality, including preventing access to personal data and the equipment used to process them or their use by unauthorized persons. It is necessary to inform how the security of your company’s data is carried out, with whom you share this data and how this transaction is carried out.
- Prevention: this involves taking care of your customers’ data through internal processes, restricting access only to certain people in your team, ensuring better control of your customers’ data.
- Non-discrimination: the processing of personal data can never be carried out with the aim of discriminating against or promoting abuse against its holders. In this case, we are generally talking about sensitive personal data, such as data on racial or ethnic origin, religious conviction and political opinion, for example.
- Responsibility: the principle of responsibility and accountability provides for compliance with the law in view of proof and evidence that measures and procedures have been taken by the company to guarantee data protection.
The internet undoubtedly makes life easier for everyone, but you have to be careful because it’s an environment that’s also prone to malicious people. Get informed and enjoy all that technology has to offer.
Master da Web, your cloud solution!☁️
- Tags:
- LGPD