* By Thomaz Côrte Real
The COVID-19 pandemic, in addition to the already widespread health problems, also brought significant impacts on global economic activity. This is because one of the main measures encouraged by the Health Bodies to try to contain the contagion by the virus is voluntary and, in certain cases, forced isolation. On the other hand, in the face of this isolation, many companies had to accelerate the processes of digital transformation and were challenged to transfer a large part of their structure to their collaborators' homes and adapt to the teleworking modality. This disruption also brought an enormous concern: how to guarantee the security of confidential information, as well as personal data that will be treated in this new remote work scenario?
Despite the fact that companies are reallocating resources and implementing cost containment policies to overcome this health crisis, the imminent entry into force of the General Data Protection Law - LGPD (Law 13.708 / 2018) becomes imperative that companies start a journey governance implementation and good data protection practices. The law provides for the processing of personal information in order to protect the fundamental rights of freedom and privacy and the free development of the personality of the natural person. To this end, it proposes the adoption of security, technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or any form of inappropriate or illicit treatment.
There is no standard adequacy plan applicable to all companies, nor does the LGPD provide a ready recipe for how companies should proceed in order to adapt to issues involving the processing of personal data. But, broadly, the law suggests that data processing agents (Controller and Operator) formulate rules of good practice and governance that establish the conditions of organization, the operating regime, the procedures, including complaints and petitions from owners , security standards, technical standards, specific obligations for the various parties involved in the treatment, educational actions, internal mechanisms for supervising and mitigating risks and other aspects related to the processing of personal data.
Companies are expected to undergo a major transformation, implementing the culture of privacy and protection of personal data, until then left in the background. They will need to adopt a new stance in the treatment of the voluminous amount of personal data that has always traveled through their different areas, and now also in the homes of their collaborators, often without due control and security. They should also think about privacy and data protection from the design of their products and services to their execution.
The Brazilian Association of Software Companies - ABES proposes to the associates and companies in the sector studies of the legislation through work groups promoted by the entity and training courses by the ABES Academy. Most affiliated companies have already started implementing governance programs and good practices in privacy and data protection. However, the current scenario of the journey of preparing the Brazilian market for the LGPD is that 60% of the companies still do not meet the requirements of the new law. This data is extracted from the ABES Index of LGPD which, in partnership with EY, verifies the adequacy level of companies from different sectors that fill out an online diagnosis free. The aim is to enable a self-assessment of compliance with the law, and through the result of the self-assessment and suggestions for adaptation, assist in the creation of a business world where personal data is properly protected and respect for the rights of cardholders are taken into account. account in our work practices.
* Thomaz Côrte Real is a lawyer, specialist in corporate, tax and data protection law. Member of ABES Legal Department and Partner at MASantos, Côrte Real e Associados