Protection of personal data - its challenges and benefits
João Gago - 01/10/2019
The year 2018 marked the world of business with the start of the European Union's General Data Protection Regulation in May 2018. It was not something new for European organizations, as it had two years to but for the rest of the world it was still little known.
In April 2018, just before the GDPR came into force, Mark Zuckerberg was in the limelight facing questions from members of the US Congress about the numerous privacy violations on Facebook that were revealed earlier this year. This type of situation was one of the major motivators of the creation of the GDPR by the European Union.
The European Union already had a comprehensive privacy law since 1995, but the GDPR is significantly stronger, targeting mainly the commercial use of personal data by companies like Facebook and Google. GDPR was developed so that consumers do not rely on the goodwill and ethics of companies to have their privacy protected. Although GDPR applies only in the EU, it will help protect the privacy of people globally in a number of ways, as it elevates international privacy standards and influences other countries wishing to maintain a broad commercial relationship with the European Union.
The greatest proof of this was the approval in August 2018 of the General Law on Data Protection (LGPD) by the Brazilian Congress. The first effects of GDPR's entry were enough for Brazilian organizations to pressure Congress to expedite the approval of the LGPD, since Brazil's risk of being subject to sanctions and commercial losses for lack of clear rules protecting personal data would become very high . In fact, with the LGPD, Brazil can not yet be considered a country adhering to the GDPR, because the new Law will only come into force in February 2020 and still needs adjustments and complements, but it is already a great advance to have a Law that right this topic.
Among the necessary adjustments and complements to the LGPD is the creation of a data protection authority equivalent to the Data Protection Authority (DPA) in GDPR. The DPA, when established, will be an independent public authority responsible for the supervision and implementation of the LGPD. Its format has not yet been defined, but should work in the same way as other regulatory agencies or supervisory bodies. The authority may establish guidelines for the promotion of personal data protection in Brazil. The law that will create the DPA will probably serve to create the National Data Protection Council, a multi-sectoral consultative body that can propose guidelines and strategies, conduct studies and disseminate data protection knowledge in Brazil.
Regulations such as GDPR and LGPD bring a number of challenges to organizations, which will need to implement effective personal data governance, in addition to demonstrating total commitment to this new personal data protection agenda, promoting awareness of its executives on the subject, and continuous training in your employees. The penalties are heavy and amount to 4% of annual revenues in the European Union and to 50,000 reais in Brazil, so demonstrating an effective commitment to adapting to the new regulations will become essential if organizations are not to be punished severely.
However, despite all the pressure that these regulations bring to organizations around the world, the benefits do not just correspond to data owners who will take greater care of their privacy. By adopting more mature data governance, organizations will be directly defending themselves against a type of crime that has been increasingly common and often silent, cybercrime or cybercrime. Many times companies are invaded or their internal data is stolen and they do not always know, and may have future complications with leakage of confidential data or even losses with bank or accounting fraud. Cybercrime is not new, but it has grown exponentially in the World and has been attacking more and more common organizations and sometimes not so great.Lack of access control to internal systems, corporate network protection against intrusions or even physical access protection are basic provisions that are often not followed by several companies and therefore make them vulnerable to external hackers and also interns.
In the European Union, organizations are already prepared or in a state of very advanced preparation to meet GDPR requirements, but in the rest of the world, mainly in Brazil, most companies have not yet begun their impact assessments regarding compliance with these regulations , perhaps because they feel that they may not need to comply with such regulations or even because they do not know the existence of this new challenge. We must also consider that the Brazilian political agenda has been so troubled between 2014 and 2018 that to require companies that are in line with a new Law that regulates personal data protection may sound like preciosity, but whoever thinks that the LGPD will not be taken seriously or even will not have as much priority. On the contrary, Brazil will increasingly be challenged to demonstrate that its new Law is on the main agenda of government and that the protection of personal data is a serious matter, subjecting the LGPD not only to the European Union but also to other countries who already have mature Data Protection Laws and will demand the same from their trading partners.