Companies Executives must understand how LGPD impact their organization and the main consequences of non-enforcement of the law, that must be disseminated at all levels at the organization
By Roberto Wik
The new General Data Protection Law in Brazil (LGPD – Law 13.709/2018 / MP No. 869) that was passed by the National Congress in 2018 and came into effect last year is making many companies apprehensive. After the booms of ISO 9000, ISO 27000, SOX, among others, the LGPD is certainly one of the recent laws with the greatest impact on organizations in general and addresses the issue of data governance like no other.
The LGPD Law, in large part like the General Data Protection Regulation (GDPR), in force in Europe since 2018, aims
to bring more rigor to the way in which private companies and government bodies address the issues of privacy and protection of data of Brazilian citizens. Personal information can range from home addresses, schools attended, dates of
birth, social security number, car registration numbers and medical information, to data on occupation, monthly income, risk profiles and much, much more. And not all information is owned by the original proprietary data – much of it is also shared with suppliers, partners and third parties. In other words, it will have significant impacts not only on different companies’ departments, like legal, administrative and information security areas but with the entire companies’ ecosystem.
Define your Journey Steps
Being ready for the LGPD means much more than being compliant to the law. This journey can be defined in five main
steps:
1. Engage the various areas of the company in the project, as they are affected by the LGPD because they use
customer or employee data in their activities.
2. Identify what data your organization uses. Know what data your organization manages, where it is, who
uses it, for what purpose, and how it is protected.
3. Train your employees and educate them about the importance and impacts of the LGPD.
4. Modify your business processes to support audit requests and consent management.
5. Review and manage your security and privacy policies and review all relevant third-party agreements.
This journey is a continuous and evolving process, with opportunities to introduce new solutions that help
mitigate business risks for the LGPD, such as process automation (RPA), artificial intelligence (AI), internet of things (IoT), data management Masters (MDM).
Take the Benefits from it
In this period of uncertainty and adequacy, there are also a number of positive reasons to embark on this journey, including opportunities to strengthen customer relationships, make services more competitive by making them more personalized, and leave a door open to new opportunities in order to achieve more revenue and drive the
digital transformation process in organizations.
· Define clear metrics – customer-centric goals such as reducing attrition rates and increasing customer acquisition can help increase the perception of data governance as an enabler of customer centricity.
· Focus on one area at a time to help monitor progress, refine strategy and investments.
· Promote collaboration – ensuring buy-in from all people involved on data governance across the enterprise ecosystem.
· Define accountability for data governance and, for this to work, a cultural shift across the enterprise ecosystem is required.
· Use purpose-built technology to automate and scale data management and governance – you can’t just rely on human resources to handle the data explosion. Technology allows you to provide a cost-effective solution that fits your future needs.
LGPD penalties and Fines and GDPR Cases
Despite the LGPD came into force in Brazil in September last year, only now the sanctions provided for by the new rules will begin to apply. From August 1st 2021, companies from all over Brazil that did not adapt may be punished, which include warnings, blocks and fines of up to BRL 50 million per infraction or 2% of annual turnover (whichever is higher).
For GPDR, fines can reach up to €20 million or 4% of annual turnover. Just after the start of the law enforcement, it took a while for the fines being applied extensively by Data Protection Authorities across the EU. Between January 2020 and January 2021, GDPR fines rose by nearly 40% and penalties totaled €158.5 million. Data protection authorities recorded more than 121 thousand of data breach notifications, almost 20% more than the previous 12-month period.
Companies like Google (€50 million), H&M (€35 million), TIM (€27.8 million), British Airways (€22 million), Marriott (€20.4 million) got fines by EU Data Protection Authorities. More recently Amazon got a record-breaking €746 million fine for alleged GDPR violations regarding how it performs targeted behavioral advertising. This fine is the largest ever issued by the European Union for GDPR violations. Before this decision, the largest fine was €50 million against Google for not correctly receiving consent when processing user’s data when creating a Google account or performing advertising.
In summary: companies need to better understand the data they have, how and why they keep them, how they got permission to use them and storage and with whom they share this information.
Sources: www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/Lei/L13709.htm, Genesys whitepaper, Tessian
Roberto Wik is Executive Consultant, Entrepreneur and Director of Technology and Innovation at Vecte. With more than 20 years of experience in multinational Business and Technology Consulting companies, he worked for 3 years in procurement portals in Brazil and the Middle East, as well as having worked in the largest hospital in Latam and 3rd largest global aviation company. Graduated in Mechanical Engineering, he has an Executive MBA in Finance.