The General Data Protection Act (LGPD) came into force last year, but it still generates various doubts. Although it is already in force, the fines – which can reach R$50 million per infringement – must begin to be applied from August. Therefore, organizations have a few months to adapt and avoid possible problems in case they do not treat sensitive data in the correct way.
In response to this demand, Rafael Variz and Alexsander Martins, IT experts at HLB Brasil – global auditing, consulting and outsourcing company – have considered five steps that can help companies to comply with the new rules. “When an institution goes through the process of adaptation in accordance with LGPD regulations, it creates a safer technological environment, protecting its data and information, becoming able to offer security to its customers”, they said.
5 STEPS TO COMPLY WITH THE LAW
Every organization that operates in Brazilian territory needs to be aware that the LGPD is a law in force and has been applied since August 2020. The fact that the National Agency for Data Protection (ANPD) has not yet been established to supervise and apply administrative fines does not exempt companies from lawsuits due to lack of accordance if they commit an infringement.
2. Understand the guidelines of the law
It is essential to understand the guidelines and applicability of the law and, if necessary, hire a specialized consultancy for the process.
3. Create a team and define DPO (Data Protection Officer)
The company needs to create a team that has a macro view of operations and, preferably, that has knowledge or is part of the business areas of the organization. The Data Protection Officer (DPO) shall be responsible for the applicability of the law in the adequacy process.
4. Promotion and engagement
Maintaining the synergy of implementation is fundamental to the compliance of the LGPD. In addition, promoting engagement for the data protection cause involving all employees, service providers and supporters they deem necessary is critical to the sustainability of the law within the organization.
5. Safety Certification
It is necessary that the organization certifies the Information Security processes using the standards ISO 27001 (standard for implementation of a management system focused on information security) and ISO 27701 (which aims to add new controls in the management system to ensure total privacy, specifically for personal data).
This certification ensures that the company has undergone a thorough audit process and that it follows appropriate models in its Information Security Management System (SGSI).