The General Data Protection Law (LGPD) is legislation aimed at protecting the freedom and privacy of consumers and citizens, specifically regarding user data, defining responsibilities related to the processing, use, and sharing of this data.

On September 17, 2020, President Jair Bolsonaro signed Law No. 14,010/2020, which amended the enforcement provision of the law, giving it a new wording, and thus the LGPD (LAW 13,709/18) came into effect on September 18, 2020. However, the administrative sanctions determined in Articles 52, 53, and 54 will come into effect on August 1, 2021.

Despite the impossibility of applying administrative sanctions imposed by the ANPD, the rights of data subjects can already be exercised, and therefore, a series of legal implications can already be applied.

After publication in the Official Gazette of the Union, a series of measures to protect data and the privacy of citizens, such as preventing data leaks, companies and public agencies must adopt measures to comply with the new law.

Companies that are not in compliance with the LAW will be subject to a fine limited to R$50 million, corresponding to 2% of annual revenue, starting in August 2021.

With the increase in cases of data leaks and collection in recent years, there has been a shift towards thinking about the protection of personal data, in order to determine the ways in which data is collected, making data security and privacy a right of the citizen. Such regulation brings consequences not only to individuals but also to public entities, causing governments, companies, and society to be concerned about creating mechanisms to prevent leaks and unauthorized sharing of obtained data.

We use many services that collect our data with our consent; however, without adequate information, that is, without knowing exactly what treatments will be given or even with whom the collected data will be shared, in addition to that portion of services that collect data without the user's consent, for various purposes, including obscure ends and aiming solely for profit from the sale of data.

At this point, we need to ask you, have you ever read a data policy, privacy policy, or the license/use contract of any app before using the offered service? Have you ever refused to use a service because of the information you obtained through a privacy policy you read? Have you ever needed to delete your data from a service you are no longer subscribed to? Isn't it all obscure?

It is with these situations, among others, that the LGPD comes to regulate these rights of users; let’s see the main ones:

• Confirmation of the existence of processing.
• Access to your data.
• Correction of incomplete, inaccurate, or outdated data.
• Anonymization, blocking, or deletion of data processed in non-compliance with the LGPD.
• Portability of data to another service or product provider.
• Deletion of personal data processed with the consent of the data subject.
• Information about the public and private entities with which the controller has shared data.
• Information about the possibility of not providing consent and the consequences of refusal.
• Revocation of consent.
• Opposition to processing based on one of the hypotheses of waiver of consent, in case of non-compliance with the provisions of the law.
• Review of automated decisions.

See below some necessary measures for your company to comply with the LGPD as an example:

• The first necessary measure is the appointment of a DPO, which can be an individual or legal entity, who will be responsible for the constant evaluations and updates of data and privacy policies, as well as the treatments performed.
• You must document the entire process of acquiring, processing, and deleting user data. For example: How the data was acquired, what it will be used for, with whom it will be shared, how it will be processed, what security measures are in place to ensure the privacy of this data, and how long the data will be stored. This means that every piece of data obtained will have a lifecycle for review.
• Have a good privacy policy that describes the data collected, the purpose of the collection, how the data subject can exercise their rights, and the policy adopted in case of data breach or leak, as well as the impact report of data breach events.
• The company must delete data that it deems no longer necessary (such as when an account is closed, for example), unless it is required by law or another justifiable reason to keep it.
• Adopt information security measures based on best practices such as ISO 27001/27002, ITIL, and Cobit.
• In addition to all this, training policies should be ongoing, alerting employees about information security and data protection, exemplifying legal risks and the procedural measures that will be implemented.

Another important point is that the LGPD applies not only to data obtained and stored in digital form but also to physical data, such as paper. It must follow the same policy, lifecycle, and be included in impact and security reports for the eventuality of a leak.

With all this to do, the ideal is to hire a professional or specialized company to conduct an assessment of all the company's processes for reviewing data and privacy policies, as well as requiring its systems and IT teams to do the same, in order to ensure full compliance with the LGPD.

The LGPD in ChatSeguro

Chat Seguro is a lightweight and powerful alternative to existing communication tools, always with a focus on security. We have committed ourselves from the beginning to the privacy of our clients' data.
We do not sell or improperly share data; we only share the data necessary for tax purposes and those that, by legal determination, we are required to disclose.
We respect our clients and guarantee them transparency in the management of their data at all times, storing securely in our servers and systems strictly what is necessary for the maintenance and proper functioning of the tool you subscribed to.

Here are some tips for using Chat Seguro:

• The company should create a document outlining the usage policy for the communicator.
• Employees should be instructed to use Chat Seguro only for corporate purposes.
• Employees should be advised not to share confidential information through insecure means, such as email and WhatsApp, for example.
• By using Chat Seguro, your company prevents potential data leaks.
• We are in compliance with the LGPD.

Data security becomes an express obligation of the law, subject to penalties. For this reason, it is mandatory for the organization's managers to exercise digital governance, that is, to understand the risks involved, identify current gaps, and implement corrective measures.

From now on, therefore, data leaks will imply the accountability of the entrepreneur or their organization for the damages caused, given the vulnerabilities of information security.

See the law in its entirety: http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709compilado.htm

Article written by:
Genilto Dallo
Graduated in Computer Science, Postgraduate in Information Systems Management, and CEO of Chat Seguro

Lucas Balena
Lawyer OAB/PR 85.011
www .balenaadvogados.adv.br