* By Gustavo Mendes
Every company of any size, whether public or private, has one or more databases with information about its customers and employees. These data are very valuable and, consequently, targeted by third parties, as they are the ones that contain personal and sensitive information of each citizen. With less than a year to go into effect, the General Data Protection Law (LGPD) arrives to regulate how institutions should use this information, with clear definitions of the purpose of use, whether for collection, manipulation or transfer.
The LGPD defines exactly what the personal data is, that is, information that makes a person identifiable, as well as defining what the sensitive data is, information that characterizes and defines that person's personality. In this way, the Law gives the holder the right to revoke his decision on the use of his data and the deletion of his information when required by him. Unauthorized disclosure of these data, manipulating them in a way that harms their owner or their improper use, are points dealt with in the law, where each violation can bring serious risks to the organization.
Regulations such as the Consumer Protection Code and the Marco Civil da Internet, although they are from different areas, are already existing laws that have been imposing fines through the Public Ministry and PROCON with regard to the protection of personal data. Now the LGPD, which presents “General” in its title precisely because it centralizes these rules and gives citizens more security and control over their data, has not been left behind and created the National Data Protection Agency (ANPD), which will propose sanctions that may reach 2% of the revenue limited to R$ 50 million per infraction.
The General Data Protection Regulation (GDPR), European legislation on privacy and protection of personal data created in 2018, served as the basis for the drafting of the LGPD and, in its first year, already applied severe penalties to companies relevant market players such as Google and Facebook. According to European Commision and the International Association of Privacy Professionals (Iapp), in the first 12 months of the law in force, more than 89 thousand notifications were made to the European authorities and the amount of fines imposed reached approximately 56 million euros.
In addition to the fines, which obviously can impact financial health and quickly decapitalize the company, there are other factors that put the organization at risk. The lack of care with data and knowledge about the Law, transmits to the market and to its customers a neglect of the way these data are being treated, which can generate a bad reputation for the company. Consequently, this can cause loss of crucial factors that can seriously compromise the company's operation, whether small, medium or large, such as: important partnerships, investors, investments and business opportunities.
The rigor of European law shows a conduct that we must follow and a lesson that we can learn: we have to prepare for the LGPD in order to implement a new organizational culture in which the holder is in control of his data. To this end, organizations must comply with the law to mitigate risks, possible financial damage and preserve the company's reputation. The latter mainly, since the loss of credibility with its consumers can impact the company's image. Ensuring the protection of personal data is the main item of this law, but above all it will impose that organizations transmit transparency and trust to their customers.
* By Gustavo Mendes, Sales Engineering at Adistec Brasil
Warning: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies
EN 
PT 
