What changes with the postponement of the General Personal Data Protection Law?
By Rafael Variz
Provisional Measure n° 959/ 2020 was published by the Federal Government on the last Wednesday of April (04/29/2020) which, in addition to regularizing the payment of the emergency benefit, extends the effective date of the General Data Protection Law (LGPD) for May 2021.
This is the second time that the law has been extended, having previously been expected to be introduced in August this year.
In order to understand a little about the LGPD, it is important to understand that its proposal is to establish measures that control the data of individuals stored by companies and the way they should be used, collected and discarded.
Until now, Brazil did not have any law that directly controlled the use of personal data that companies have registered and, therefore, there were no clear ways from the legal point of view to hold organization accountable in the event of misuse of these data.
According to Law n° 13.709/2018, a rule that governs the General Law for the Protection of Personal Data, the purpose of protection is to respect privacy, freedom of expression and communication, information and opinion, the inviolability of intimacy, human rights and free enterprise, as well as free competition and consumer protection.
In addition, the law separates the types of data in personal ─ and sensitive data, for knowledge about ethnicity, religious and sexual opinion, genetic data, among others.
With these new rules, Brazil will have similar data privacy criteria to most European countries, such as the GDPR – General Data Protection Regulation, in force since 2016.
The impact of the General Data Protection Law for Brazilian companies
Before the prospect of implementing a data protection law, it was common for organization to accumulate information from people who might never be use or,
worse, used in a harmful way. And, as stated earlier, if there was a leak, companies could not be properly held responsible.
Now with the new law, information collection measures should be stricter. Organizations need to receive authorization to use the data received, in addition to clarifying how it will be used.
In addition, companies need to maintain consolidated storage protection planning and report immediately if they notice any errors or leaks in their systems. If the organization breaches the rules of the law, it can receive fines of up to R$ 50 million or the obligation to bear all the responsabilities and erase the data involved.
As a result, companies should think twice before collecting unnecessary information or rethinking their cyber security planning to avoid future headaches.
Therefore, we can conclude that the LGPD will bring interesting changes to the organizational culture of companies, mainly because it affects several sectors, such as Human Resources, marketing, Information Technology, among others.
The data collected from individuals is personal information and companies must understand the responsibility of carryng this material, in addition to the importance of preserving and securing such data. They are not just numbers or letters, behing them there is a human being who trusts the organization and confidentiality of the company when handing over their personal data.
Rafael Variz is IT Director at HLB Brasil