*By Marcos Semola
Since the beginning of this year 2020, the impacts brought about by the crisis generated by the Covid-19 pandemic have attracted practically all the attention of people and companies. As a result, many equally important issues have been left out of debate and understanding. And one of them is certainly the General Data Protection Law (LGPD), which finally came into force on September 18.
I will briefly tell a story here that helps to understand the relationship between the crisis that Brazil is currently experiencing and the LGPD. In short, the law recognized citizens' rights to privacy, and companies will have to adopt measures that legitimize the processing of personal data and respect those rights. It is a particular decision of each business to know the exposure to the risk of non-compliance and to prioritize the adequacy measures.
For few, not even the pandemic served to take the focus off the LGPD
To begin with, I say that it is necessary to have a broad, holistic and integrated vision of what our LGPD is after all. The definition is very simple: privacy is a constitutional right. Since the entry into force of the law, Brazilian citizens have ensured the fundamental guarantee of the inviolability of intimacy and private life. It is already present in more than 80 countries, such as Argentina, Canada, many in Europe, and also the state of California (USA). Research and consulting firm Gartner estimates that by 2023, more than 65% of the world's population will be covered by specific legislation to protect individual privacy.
This shows that the world has woken up and realized that personal data belong to citizens and that they are only held by companies and are not actually owned by them. Organizations are responsible for making use of this information responsibly, observing the appropriate legal bases to legitimize data processing with clear and unambiguous purposes. In practice, the commercial and trusting relationship between companies and citizens has a legal limit and cannot be infringed in the name of business interests.
Brazilian law is mirrored in the General Data Protection Regulation (GDPR), which was approved in 2016 and came into force on May 25, 2018. In August of that same year, Brazil also created its legislation, providing for two years then, therefore, August 2020.
However, due to the crisis generated by the pandemic, companies' attention was drawn to this issue. To this is added the Latin culture in general, and the Brazilian culture in particular, which tends to react to a problem, instead of acting preventively. In order to contribute, our Legislature, through various measures, proposed to postpone the LGPD, which caused a scenario of insecurity and disbelief about the law's entry into force and its effectiveness.
Thus, few companies have actually prepared for the change in customs, which implies the ability to treat and fulfill citizens' rights regarding privacy. But we are not all the same. I need to make a distinction and divide Brazilian companies and their leaders into three major groups.
The first is actually this, which feeds on disbelief and non-predictability.
But there are also those who, by virtue of these vectors who postponed the law and who pushed the penalties resulting to it to 2021, hoped for postponement. They are mostly organizations that are very sensitive to the crisis and that, for legitimate reasons, are now putting all their energy - of time and human and financial capital - to ensure their survival. In general, in a typical crisis situation, all resources are turned to guarantee survival, and attention is paid to details only in the maintenance of vital signs.
And what is the third group? Fortunately, there are companies in this group in Brazil. Larger or smaller, are those that were not so affected by the pandemic in a way that compromises their survival and that also recognize the obligation to guarantee the citizen's right to private life. These have not been neglected and have been investing in compliance of LGPD in the quest to build a relationship of trust in its ecosystem.
They see in this law exactly an opportunity and a way to strengthen the relationship of trust with customers, employees and business partners. They were able to create projects to deal with the new legal reality, ensuring the ability to identify privacy risks, address holders' rights and requirements in a timely manner and also dynamically respond to any requests related to privacy and LGPD, such as the requirements coming from the National Data Protection Authority (ANPD). These companies are already ahead of the rest. They developed the sensitivity to project the future based on business decisions planted in the present.
“The leader of a thriving organization needs to involve skills that give him a holistic and integrated understanding of risk vectors, so that he can make assertive decisions and take advantage of every opportunity behind a crisis.“
A milestone for Brazil
The LGPD is a milestone for Brazil, it is really something memorable, as was the Consumer Protection Code. This can also be known as the year in which Brazil stopped to realize that we are paying little attention to the data that belong to us, and that companies may be misusing them, from the point of view of handling this information. But there must be an understanding that, despite the high value of the data, the extraction of data by companies must be guided by common sense and limited to the perimeter in which citizens' privacy rights begin.
Finally, I use the analogy that the preparation to meet the demands of the LGPD is similar to the construction of a bridge, which will transport people from one river bank to the other. Therefore, I recommend that companies get out of inertia and start building it, or accelerate its completion as soon as possible. Symbolically, this bridge, even though rustic at first, will represent the company's ability to transpose citizens from one margin to another, leaving an environment without rules and respect for privacy, to one where the rules are clear and individual intimacy is preserved .
Build this bridge, even if using scarce resources available, and gradually improve its structure. What should not be done is to remain inert or even lose focus on the purpose of the law, planning a megaponte. This will just take too much time and it may not even be completed due to lack of resources or, in the end, it ends up linking nothing to nowhere.
So, so be it: think big, but start small and now.
* Marcos Semola, CISM®, CDPSE®, PCI-DSS®, EXIN PDPP® and ISO27K®LA, EY Cybersecurity Partner
* This article by Marcos Sêmola is the extraction of fragments from the book Reflexos da Pandemia, Editora Global Partners, 2020.
Notice: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies