Today we celebrate the International Day for the Protection of Personal Data. This date was established in the European Union in 2006, but today it has become a global initiative that is supported by the ANPD, our National Data Protection Authority. We take advantage of the date to bring you some tips and information about the protection of personal data in your company:
- Personal data is not only registration data.
When we think of personal data, we immediately think of information such as name, CPF and RG, addresses and other information that identifies someone. However, the LGPD (General Law of Data Protection) defines personal data as any information related to identified natural persons or that can be identified. So, depending on the context, various other information can be personal data, such as histories, messages and analysis about a person - even if there is no direct identification of who that person is!
- Ask yourself what your company uses personal data for and whether it is even necessary.
The LGPD states that no personal data can be collected or used if it is not necessary for one or more specific purposes. So if you cannot justify why you need to collect or keep personal data stored, it is likely that you should not collect it and cannot even use it. On the other hand, the LGPD brings several possibilities for a company to base the use of personal data and, depending on the purpose of that use, it may be possible to do so even without the consent of the data subjects.
- Knowing your internal processes is fundamental for any company.
It is not possible to protect data privacy properly without knowing the company's processes. Information flows, their purpose and corresponding activities will determine what can and cannot legally be done with data and what protections and safeguards are needed. Knowing well the use of this information, including whether it will be shared with third parties, is also important to provide appropriate transparency to affected individuals, as this is one of the LGPD requirements for the use of personal data.
- Security and privacy should be a constant concern for every company.
A compliance project is no guarantee of data protection and will not be effective if the company is not dedicated to the security and privacy of this data on a daily basis. A person in charge, or committee, should bring knowledge and engage all the company's employees so that they know and respect the rules and good practices. Thus, leaks and the creation of data protection risks are avoided. Importantly, Brazil was the second country that showed the second highest increase in total loss from a data leak between 2019 and 2022 and had an average total loss of $1.12 million as a result of them that year. Malicious attacks were the main cause of the leaks, with this accounting for 47% of cases in Brazil, while 28% were due to systems failure and the other 25% from human error (cf. IBM's Cost of Data Breach 2021 Report).
- Governance in privacy and data protection, besides avoiding risks, brings value to the company.
By knowing their processes and their security needs, the company can streamline them and implement other types of governance and accountability measures that can even generate value gains. For the third year in a row, research shows that the return on privacy investments has been increasing, reaching an average of 1.9 times the amount invested, and, in Brazil, 83% of the companies that initiated data protection governance projects verified a positive impact (cf. Cisco 2022 Data Privacy Benchmark Study).
The protection of personal data has been one of the most important issues in recent years with regard to corporate governance and risk management and tends to gain even more prominence in 2022, with the beginning of preventive and punitive action by the ANPD.
By the way, speaking of the ANPD, it published today the Regulation on the application of the LGPD, for small treatment agents. This new regulation relaxes the application of some LGPD rules in the case of micro and small companies and startups, provided they do not carry out activities with high risk to privacy or participate in economic groups with high turnover. The main benefits for them are the unnecessary need to appoint a personal data controller, also called "DPO", the double deadlines for compliance with legal duties and the possibility to carry out some burdens of the LGPD in a simplified manner. In the coming days, we will comment on this new regulation.
Should you be interested in further information, our Privacy and Personal Data Protection team is happy to help you!