General Data Protection Law: Change in Legislation Leaves Technology Sector on Alert.

Due to the constant occurrences of online data leaks, authorities have decided to act strictly to protect users. Individuals and public or private companies that collect personal data to allow navigation on their websites or provide products and services must comply with the guidelines of the General Data Protection Act (LGPD), which will come into effect in February of 2020.

Law number13.709, sanctioned in August of 2018, establishes the regulation for the use, protection and transfer of personal data in Brazil, in the private and public spheres, promoting changes in the regulations of the Internet Civil Framework (Law No. 12,965 / 14). It is based on the GPDR (General Data Protection Regulation), strict data protection laws passed by the European Union three months earlier.

Despite the complex new legislation, it is possible to adapt procedures and systems without making major changes to the existing digital structure or large investments. For this reason, it is essential to understand the LGPD well and to seek legal advice from professionals specialized in this segment.

First Steps to Compliance of the General Data Protection Act

The first step to be taken for the LGPD is to seek the advice of a specialized lawyer. This professional will help company managers understand the changes the law proposes, the most critical points for the type of business and the consequences the General Data Protection Act may impose.

“In addition, a Digital Law expert can check data capture and processing procedures and provide information about the current level of digital security. Based on this information and the degree of safety presented by the company, it is possible to evaluate which stages of the operation can be maintained with minimal changes, and which segments will need to be completely redesigned to be LGPD compliant,” explains attorney Guilherme Nagel. emphasizes attorney Guilherme Nagel, founding partner of Sotto Maior & Nagel law firm who is an expert in Digital Law. The office is headquartered in Florianópolis and São Paulo.

Transition plan

After the initial diagnosis, a transition plan should be set in motion from the current data system to the new system, according to the guidelines of the General Data Protection Act. This transition must be made carefully so as not to compromise the routine operation of the company, while meeting the stipulated deadline for compliance – February 2020. “The attorney will also closely monitor each phase of planning, suggesting small changes if any process proves practically inefficient,” adds Nagel.

Under the new legislation, the National Data Protection Authority (ANPD), the regulatory department for this sector, may request detailed reports on collection of information at any time. As a result, it is suggested that companies create crisis management protocols in case of data leakage. “If a company has not designed procedures such as these, the Digital Law professional can also help with the formatting process,” adds the Sotto Maior & Nagel partner.

Data Protection Culture

For companies to be properly compliant with the new rules, managers will need to implement a strong organizational culture that prioritizes data protection. “It is imperative that the entire team understands how delicate collecting and handling personal information is,” says Nagel.

In this sense, managers who do not monitor Information Technology (IT) sectors closely will have to rethink their concepts. They keep the IT department ‘disconnected’ from the IT industry because they don’t have enough technology knowledge to actively participate in the strategies. However, this connection must be established for transition strategies to be designed. A lawyer can also help with such issues by making communication simpler and more assertive. “It’s also important to educate employees to adopt safe network practices to prevent ransomware and phishing contamination, for example,” says Guilherme Nagel, citing types of malware that capture data or files from users of a computer.

The General Data Protection Law aims to ensure the privacy of personal data and allow greater control over them, contributing to the development of the sector in the country, and implements heavy fines for non-compliance. “The fine can reach $50 million. In addition, companies that do not comply risk losing contracts with other companies that require personal data compliance,” says Nagel, referring to compliance with internal and external laws and regulations. Limitations to operations in countries that require such adjustments is yet another inherent risk.

---

SOTTO MAIOR & NAGEL ADVOGADOS offers advice for analysis, implementation, adaptation and monitoring of the Data Protection area of companies. With a team of lawyers specialized in Digital Law, the firm offers consulting and performs conflict resolution for issues related to Data Protection, Intellectual Property, Startup Law and Business Compliance, among other areas.