By Odilon Costa *
More than 100 countries have specific laws on data protection (LGPD) for citizens and some have an independent Data Supervisory Authority, with powers to ensure compliance with encryption. In all countries where the data protection law was adhered to, business dynamics improved.
According to the KPMG International: Guardians of trust - Who is responsible for trusted analytics in the digital age (2018) survey, 92% of executives do not trust their company's Data Analytics process, which makes it highly recommended to hire a external service provider. Here are six recommended topics when establishing the LGPD:
Establish principles that allow the user to know and manage the data obtained: in addition to explicit consent, it will be up to the company that receives this information to provide the user with everything he needs to know, having the right to view, correct and delete data that has been collected. The processing of information will be allowed if it is within the assumptions provided for in the proposal, such as legal, contractual obligations and credit protection;
Adopt a set of controls that allow keeping only the data of active users and enabling a secure portability process: personal data should be deleted after the end of the relationship between the customer and the company; information holders will be able to correct data held by a company; the transfer of personal data can only be made to countries with an "adequate" level of data protection;
Maintain audit trails for the principles of causality: the law states that, for each automated decision made by a company, it must be able to explain how it came to it;
Deploy and improve information security systems: in addition to companies collecting only the data necessary for the services provided, there must be security measures in place to protect personal data from unauthorized access and "accidental or illegal situations" from destruction, loss, alteration, communication or any form of improper treatment or illicit. It is necessary to encrypt this data and ensure the user's right to anonymity, in order to curb users' exposure in the event of leaks. It is the responsibility of the person responsible for data management to report cases of "security incident" that may bring risk or damage to the information holder - through, for example, leaks or hacker attacks;
Create mechanisms to support possible “joint and several liability”: the law establishes roles and responsibilities between controllers and operators in the event of violations, with possible increase in civil actions by data subjects in the event of leaks. The expectation is extra care regarding data usage decisions, in addition to improving the definition of the relationship and controls between companies;
Implement a governance program in privacy that, at a minimum: Demonstrates the controller's commitment to adopt internal processes and policies that ensure compliance with rules and good practices regarding the protection of personal data; is applicable to the entire set of personal data under its control, regardless of how it was collected; be adapted to the structure, scale and volume of its operations; establish appropriate policies and safeguards based on a systematic assessment of impacts and risks to privacy; have incident response and remediation plans and are constantly updated based on information obtained from continuous monitoring and periodic assessments.
* Odilon Costa is CEO of Tree Solution
Warning: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies
EN 
PT 
