LGPD comes into force and requires rapid adaptation of companies; understand the challenge
October 19, 2020
Data protection law has legal and technology uncertainties, but institutions need to find a way to ensure compliance.
Alex A

After years of debate, the General Data Protection Law (LGPD) was finally enacted and entered into force nationwide on September 18, 2020. But the publication of the law does not lessen the degree of uncertainty for companies on technical and new legislation.

In fact, the LGPD, as it was published, raises more doubts than certainties, increasing the challenge of companies on how to comply with the rules.

The certainties about the law are in its main objective: to make the citizen the holder of his data and to make public and private institutions responsible for the cycle of this data in the organization, including collection, treatment, storage and exclusion. Those who do not adapt are subject to a fine, which can be up to 2% of the company’s revenue, with a ceiling of R $ 50 million.

Even with the vagueness, companies have no alternative but to adjust to the law and need to do so now.

The search for direction

Alex Amorim, a specialist in information security, knows several sides of this anxiety. As head of security for the education group Cogna, he needed to think about how to adjust the company to the requirements of the new law and, as president of the Brazilian Institute of Data Security, Protection and Privacy (IBRASPD), founded last year by specialists in the areas privacy and data protection, in a collaborative way, precisely to seek standards and guidance for companies in solving the challenges of LGPD.

The institute tries to fill a vacuum left by the absence of the National Data Protection Authority (ANPD), which is provided for by law, but has not yet been created by the federal government. The ANPD will be responsible for monitoring the application of the LGPD in institutions and imposing fines in case of violations.

Amorim reports that many companies imagined that the law would be extended to 2021, both because of the delays in structuring the ANPD and because of the coronavirus crisis. The pandemic also caused institutions to prioritize emergency planning to survive the contingency period. The concern with the LGPD was for later.

“Companies will need to meet some demands minimally. If they do not have a space on the website where the holder can request the data, for example, she may have problems ”, says Amorim.

Where to start?

According to the president of IBRASPD, companies need, in that first moment, to clearly expose their privacy policy, which cookies are collected on the website and through which channel the holder can request their data. In addition, they must also appoint a DPO (Data Protection Officer) to take care of the privacy policy.

Amorim says he noticed the emergence of so-called “miraculous” solutions that guarantee 100% compliance with the LGPD in a week, but these projections are not realistic. “It is impossible to have 100% compliance so quickly. There is no ‘silver bullet’ that will solve all problems at once. ”

Vitor Sousa, founding partner and COO of Digibee, sees the general market in a moment of legal understanding about the LGPD before being able to solve the technical needs of compliance with the law. But the technological challenge is already evident and needs to be addressed in a second moment.

“Companies need to be able to track data and know how it is being used in the system’s ‘guts’. Normally, systems are like islands, sharing data within applications and companies do not manage it ”, explains Vitor.

With the LGPD, institutions will need to know exactly which systems the user data is being used in and whether that use is in accordance with the law. “They will have to adapt the applications. This is a long and difficult journey, because the applications were created when nobody was aware of this issue ”, adds COO of Digibee.

Faster adaptation

“I know that legacy systems have been around for hundreds of years. But, at the end of the day, the law is for everyone and must be met ”, says Alex Amorim, stressing the difficulty that companies will have in adapting their infrastructure to the LGPD. “Therefore, there are solutions on the market that can facilitate this path.”

For the president of IBRASPD, solutions that map and structure the database can greatly facilitate the journey of companies. This is also the case for workflow solutions, which centralize requests made by data subjects.

“Technological solutions will contribute to the LGPD being fulfilled more quickly.”, He says. “I can create a privacy bar internally, but how long will it take? Why not use a partner who already has this solution? That cost-benefit has to be analyzed very well by companies. Partners can accelerate adaptation to compliance. ”

A hybrid integration platform (HIP), like that of Digibee, can be an important data control and audit tool, working in conjunction with specialized LGPD tools. HIPs can, for example, feed LGPD governance tools online with information that is traveling between different systems and is the scope of the law. They can also identify “sources” and “destinations” of information and maintain information integrity. This type of use of HIP will certainly facilitate data governance and the life of the DPO, who will have a central view of the use of this information.

“The positive side of a HIP is that companies, without having to create new infrastructures, are able to feed the LGPD tools with the necessary information to be able to govern the data according to what is required by law”, says Vitor. “The DPO can have many difficulties if it does not have a tool like this”, he adds.

Keeping an eye on the evolution of LGPD

By solving part of the technological challenges, companies can dedicate themselves to better understand the LGPD, especially with regard to responsibility for the collection and storage of data, which need to be consented by users and protected against leaks. “The company that captured and stored the information with the consent of the data subject is responsible for the data. Therefore, they need to follow, in detail, the evolution of the LGPD ”, says Fernando Gazaffi, head of Digibee’s legal department.

When the law and the companies are mature in this trajectory, the expectation is for an evolution both in terms of governance in digital media, as well as the empowerment of the user, who will have independence to agree or not with the use of their data. But, according to Vitor Sousa, Brazil is still in the first chapters of a long history.

“It seems to me an important advance for society. But we have to observe very well how these implementations will be and how the interpretation of the law will be, making the most of the lessons learned in this process. It is a very long journey ”, concludes Vitor.