LGPD: how to make your company fully compliant

Do you know about the LGPD and how it can impact your business? In this article, I will show you a little more about this law and what to implement for your company to be in full compliance with its regulations.

Nowadays, the importance of using data to guide companies is indisputable. From sales strategies to internal security issues, decisions are increasingly data-driven.

The digital transformation we are experiencing is making it easier and more comfortable to reach and collect data. However, this raises serious questions about the security of all this data, more even when we talk about personal data. After all, no one feels comfortable when our personal information gets disclosed to others without consent.

It is in this context that the General Data Protection Act, or LGPD (in Portuguese), emerges.

In this article, I will tell you what the LGDP is, how it impacts the data management of businesses, and some essential steps for your company to comply with the law before it comes into effect.

What is the LGPD?

LGDP is the acronym adopted for the General Data Protection Law of Nº13.709.

This law seeks to protect the data of individuals and legal entities, establishing norms and rules regarding the collection, processing, storage, and sharing of personal data.

Its main objectives include:

• Protection of privacy;
• Ensure transparency;
• Fostering development;
• Standardization of standards;
• Legal security;
• Favoring competition between markets.

It was sanctioned on August 14, 2018, and will become effective in August 2020.

The LGDP emerged as a law equivalent to the GDPR (General Data Protection Regulation), which is in force in most of Europe.

The GDPR got pushed after the massive data leak by Facebook, where the need for stricter control and punishment for non-compliance companies seen required.

With this, the LGPD comes into being in the context of guaranteeing the fundamental rights of freedom and privacy, ensuring the security of your personal data both digitally and individually.

How does the LGPD impact a company

From the term of the LGPD, any company that deals directly or indirectly with data from persons outside the organization will need to have control and management of this data in full compliance with the law.

These external persons include visitors, service providers, leads, customers, suppliers, and all stakeholders that a company may have.

Every company deals with data from such stakeholders. With this in mind, it is reasonable to say that the requirements of the LGPD cover almost every company.

Therefore, organizations must seek to adapt their practices and their data management so that they comply with government requirements after the term.

It is not only an ethical issue: the fine for personal data leaks can reach up to R$ 50 million.

How to ensure LGPD compliance

To ensure compliance with the LGPD, a company must restructure and readjust all its internal processes that involve third-party data in some way.

Thus, six steps are essential to ensure this restructuring in internal management:

1. Identify the agents involved

To implement processes and tools that enforce a company to be compliant with the LGPD is first necessary to observe all the agents involved in the law.

These agents include:

• The owner: which is the stakeholder who provides your data.
• The controller: which is the company that collects the owner’s data. It’s their responsibility to decide how this data will be handled and managed.
• The operator: which is the company (or person) that is directly responsible for managing the data. He performs according to what is established by the controller.
• The controller: which is the person responsible for implementing the processes and tools that ensure compliance with the LGPD, and acts as a communicator between the agents involved.

The company must, first of all, observe when it acts as a data controller and which tools it uses or which companies it hires to work as an operator of this data.

It is also essential to identify all types of stakeholders that the company has contact with. It can range from visitors to the leads that are generated by your marketing strategies.

This identification process is not as simple as it seems, and a company must have legal support for this step, primarily if it deals with data from multiple sources.

2. Identify essential data

The next step aims to identify all the vital data that your company needs to collect from its owners.

Data collection is essential for many companies, both for growth and sales strategies that are data-driven, as well as for office security, involving visitors and suppliers.

However, a company should not collect more data than is crucial to the execution of its strategies and ensure its security.

We recommend to list all the necessary data and have it mapped, identifying which stages of your internal processes need to change in pursuit of compliance.

3. Ensure consent in data collection

One of the pillars of the LGPD is the consent of the data. Subject to the collection and processing of it.

At all times of data collection, it is mandatory to have a clause, term, or tool that guarantees consent at the time of data collection.

Such consent is represented by the infamous: “I have read, and I accept the Terms of Use.” Which may be a detail ignored by many, but which guarantees the consent of the data provided.

It is also crucial that a company seeks compliance with its own information and data regarding third parties such as visitors and suppliers.

A critical step in increasing the security of your data is the implementation of a Non-Disclosure Agreement (NDA), which ensures that your data is legally protected.

4. Ensure supplier compliance

When it comes to the LGPD, it is not just you and your processes that must comply with data management.

Some of your suppliers will act as operators of the data of some of your owners. Visitor Management Systems, for example, act as operators of company visitor data.

As a result, you should only work with suppliers that are also LGPD compliant. If not, you may be legally responsible for failures and leaks caused by your suppliers.

5. Assign who’s responsible in the company

If your company deals with a lot of data of different natures, mainly data collected digitally, there must be a fixed person in charge.

It is in this context that the need arises for a Data Protection Officer (DPO), who becomes responsible for the management and control of this data. DPO is a growing function within IT departments and technology companies and is highly recommended to ensure proper data management and compliance with the LGPD.

In smaller companies with less data involvement, it may not be necessary to create a position, but there must be a person in charge of it in the company.

6. Get legal support

After you work on all the other steps, you’ll be on your way to being LGPD compliant.

However, it is still imperative that you have legal support. After all, only an expert can observe every detail of your business and identify possible failures in data management in your processes or changes in your contracts and documents.

Therefore, after making the changes, seek some legal advice to ensure compliance throughout the company.

What are you already doing to ensure compliance with LGPD?

If you need support for compliance with your visitors’ data, be sure to contact us.