The General Data Protection Act, sanctioned on August 13, 2018, by the Presidency of the Republic, comes into play at a time when we have seen several cases of personal data leaks from users of large companies such as Facebook, Netshoes and Uber. The law promises to make a big impact on companies’ daily lives as few laws have done before.
An example of misappropriation of data was the case of British political marketing firm Cambridge Analytica. The case has gained worldwide repercussion, making the company admit that it used personal data of Facebook users without permission. According to the law, personal data refers to any information about an “identifiable” person, such as name, email, marital status, address, and others.
The purpose of GDPA is to create regulations for the use, protection, and transfer of personal data in Brazil, whether private or public. In addition, clearly establish who are the figures involved and what are their duties, responsibilities, and penalties – which can reach fines of 50 million reais.
Check out 5 points from the set of laws that will be implemented in August 2020.
1- Data Security
Companies should ensure the security of personal data processed and report information security incidents to the regulator and, depending on the incident, the data owner should also be reported. It should also provide the holder with a means of consulting for free how their data are being processed, the duration of the processing and the integrity of personal information.
Technologies will be critical to organizations in the security issue, as the new law brings privacy management challenges such as the management of consents, the management of petitioners, the lifecycle of personal data and the implementation of anonymization techniques – anonymized data will not be considered personal data by law as long as the process is irreversible, for example, they will never be able to identify who is the holder.
Another change involves the processing of personal data of children and teenagers who will require special attention, such as obtaining consent from a parent before data collection.
Also regarding data security, companies should prepare a Personal Data Protection Impact Report, containing a description of the types of data collected, the basis of the collection and the methodology used for collection, to ensure the security of information.
2- Creation of Data Protection Officer
Companies are also responsible for appointing their Data Protection Officer (DPO), whose main activity will be to monitor and disseminate best practices regarding data protection. According to the law, it is a professional, with technical autonomy and holder of legal knowledge of the regulation.
3- Creation of the National Data Protection Authority
Among its main duties are the establishment of technical standards, the evaluation of foreign clauses and jurisdictions regarding data protection, the determination for the preparation of corporate Impact Reports, the supervision and enforcement of sanctions, dissemination activities and education about the law, and assignments aimed at the correct application of the law and the principles of personal data protection.
4- Consent Form
In the new regulation, consent must be free, informed and expressing the client’s agreement to the processing of his or her personal data for a particular purpose, and generic authorizations are not allowed. If authorization has been obtained through a vice of consent – the famous little box that everyone has seen without reading – data processing is prohibited.
5- Destination of Collected Data
When processing is performed for specific purposes and reported to the data subject, the company may collect and use the data for the purposes of campaigns, promotions, and advertising as long as the use of the data is very clear to the data subject and approved, in other words, the company will not be able to tell the holder that the data will be used for one purpose and end up using it for another.
GDPA Business Benefit
Despite the increased burden on companies, the law can bring benefits to organizations that decide to implement adaptations in a timely and early manner, providing a competitive edge in the market over the differentiated way personal data are processed.
The volume of data obtained from the holders is large and should be treated in different ways. Managers and business owners must be vigilant in protecting and handling the information they obtain from employees, suppliers, and customers, ensuring security throughout the data lifecycle.
How to start?
A good tip is to look for companies that work with privacy management and provide tools for GDPA compliance, such as:
• Legal advice;
• Accounting Office;
• Companies that provide information security software.
Zoox Smart Data, as a Big Data company, has stepped up to the obligation of GDPA and already uses practices aligned with the new laws. As Chief Data Officer (CDO) Eduardo Morelli, we founded our expertise and assisted partners and customers in adapting their processes.
“Privacy was once considered the right not to disturb people. Today the concept has gone beyond the protection of personal data, seen as an extension of personality, therefore an inalienable right of every individual. That’s why the theme is so important: data can destroy reputations, ruin careers or sour marriages “