Let's talk a little about LGPD

Your company according to the law 13.709/18

What is LGPD?

We need to talk about LGPD for the simple fact that companies and organizations have strong responsibilities in relation to the protection of all personal data of their employees, suppliers and customers. Brazil concentrates 92% of ransomware cases in Latin America. It was the fifth country most affected by the WannaCry Ransomware in 2016 and also the fifth placed on the list of vulnerable devices, according to an Avast study (Avast is one of the largest security companies in the world that uses next-generation technologies (next-gen ) to fight cyber attacks in real time).

Throughout that time we had several cyber crimes, some of them became very famous as: nRanson, Bad rabbit, ExPetr among many others that derive from ransomware. In recent years, several countries have questioned the security of information for individuals and companies, since then many scandals and data leaks from companies that are familiar to us, such as Facebook, for example, have had strong proportions in the media.

This is such a serious matter that in May 2018 the European Union transformed data protection into law - the GDPR (General Data Protection Regulation), and, three months later, it was Brazil's turn, through Law No. 13.709 / 2018. Our General Data Protection Law (LGPD) regulates the use and treatment of personal data, both by the private sector and the government, in an attempt to protect them against leaks and misuse.

In this case, it will be up to all companies and public bodies that deal with personal data (whether digitally or not) some responsibilities.That is, if your company performs a simple CPF registration, for example, you need to adjust to the new data law. If you have a register with your employees' personal data too.

SANCTIONS

The administrative sanctions for non-compliance with the LGPD are provided for in Art. 52, which are:

  • Warning, indicating the deadline for adopting corrective measures;
  • Simple fine, of up to 2% of the net income of the legal entity under private law, group or conglomerate in Brazil in its last year, limited in total to R$ 50.000.000,00 for infringement;
  • Daily fine;
  • Publication of the infraction after duly ascertained and confirmed its occurrence;
  • Blocking of personal data involved in the offense until it is regularized;
  • Elimination of personal data involved in the infraction.

GOOD PRACTICES

What is different about an LGPD adaptation project from an IT perspective is precisely data protection and not just information security. Organizations in the implementation phase or that already have an Information Security Management System in place generally rely on technical standards such as the ISO / IEC 27000 family (in particular 27001 and 27002). A company with a well-implemented ISMS is already a good part of the way to reach compliance, but standards such as ISO / IEC 27701, specifically aimed at Privacy Management, are an important extension of the previous ones both for the assembly of an ISMS (Information Privacy Management System) and for a Privacy and Data Protection Governance program.

With the LGPD, it is not enough to be in compliance, it is necessary to demonstrate compliance in addition to paying attention to important principles such as adequacy, free access, accountability and accountability, transparency, among others. Regardless of whether the organization is able to purchase products and implement ISOs, none of this works if the culture does not change. At the same time that the project is done, the mapping and if the organization chooses to hire a consultancy, it is necessary to start the acculturation of the employees.

Data are important assets, sometimes worth more than money. The other investments will come later with items and products recommended within the mapping process. This depends on the maturity and resources of each company.

Did you like it and want to know more? Contact us.