The evolution of technological systems and resources has shaped a new world reality based on globalization and the use of networks, thus opening the curtains on the digital age we are experiencing today. Nowadays, digital data is just as important as physical documentation, as systems allow almost any procedure to be carried out electronically. It’s all data, from the information in an individual’s social media account to the information related to their accounts and financial transactions stored in banking systems.
Law No. 13,709/2018, known as the General Data Protection Law, sanctioned by former president Michel Temer, was created with the aim of safeguarding the personal data that is provided and the way in which it should be processed by individuals or legal entities, in order to preserve the privacy of the data provider, as well as the inviolability of their honor, intimacy and image. It is therefore possible to see that the law establishes a relationship between three figures: the data subject, the data controller and the data operator. The data subject, as the name suggests, is defined by the Law as the “natural person to whom the personal data being processed refer”. On the other hand, the controller and the operator, defined by the legislation as “processing agents”, play the roles related to the decision and execution, respectively, of the operations related to the processing or use of the data provided.
The law was introduced to amend the old Law 12.965, of April 23, 2014, better known as the Civil Rights Framework for the Internet, which until then had been used to regulate these transactions.
But what changes? Where did this law come from and why? The law was based on the General Data Protection Regulation (GDPR, in Europe), which laid down strict rules for collecting, processing and sharing personal data on the internet, and which already affects systems even in Brazil that trade or process user data in Europe. It’s no wonder that many companies have already changed their terms of use to cover these changes, and that many probably didn’t even notice because they didn’t even read the new ones and just accepted them.
The main thrust of the Data Protection Act is the regulation of the processing and use of personal data registered by electronic systems, most often by legal entities, although the Act does not exclude its scope of application to individuals as well. As such, the legislation obliges companies holding this data to follow the established protocol, under penalty of being subject to the administrative sanctions listed in the law itself. In this article, we will discuss both the functions of the Law, based on the legislator’s intentions in creating a specific rule related to dealing with the use of digital data, and we will analyze the structure of the legislative content and the importance of its regulation.
As stated above, the General Data Protection Law aims to protect the personal data collected from the privacy, intimacy and honor of the person providing it. This protection is necessary because a possible data leak could even compromise the security of the holder, since nowadays everything is stored electronically, such as bank details. The law regulates, especially for legal entities, how data in their possession should be processed, differentiating between personal data and sensitive personal data. The main difference between the two is the content of this data, since the degree of compromise of certain information is greater in sensitive personal data and, as a result, the protection afforded by the legislation is greater. However, the law stipulates that in both cases the processing of data will only be carried out with the express consent of the data subject, by virtue of Article 7(I) (in the case of personal data) and Article 11(I) (in the case of sensitive personal data), apart from the exceptions provided for.
But what if a company doesn’t adhere to this law? How will it work? In Brazil, a new body will be created to regulate this data, called the National Data Protection Agency, or ANPD, created by MP 869/18. This body will be responsible for monitoring whether companies are complying with the LGPD, and can request risk reports, carry out audits and even impose fines if it finds any irregularities. The ANPD will contact the companies through a fourth figure (if we consider the three mentioned above), called the person in charge, who, as the name implies, is responsible to the APND for the company’s data, and may even be held liable for misuse or leaks.
What is the best way to comply with the law? What should I do? First of all, the ideal is to create a Security Committee, or hire a company to do so, to map out the entire flow of data in your system, where it travels, how it is stored and shared, and to assess what changes need to be made to the process. The law comes into force for good in August 2020, so it’s very important to start thinking about this process now, so that you have enough time to make the necessary changes in your organization to comply with the regulations.