Around 80% of companies in Brazil had not yet fully adapted to the legislation.
The General Data Protection Law (LGPD) turned five years old on Monday (14). On August 14, 2018, Brazil saw the enactment of the law, which aims to preserve the privacy and security of Brazilians' personal data.
The LGPD establishes how organizations should collect, store, process and share personal data, guaranteeing the right to privacy and control over individuals' information.
On this anniversary, it is essential to remember the advances and challenges that the legislation has brought to the country's data protection scenario.
As for the challenges, research shows that until the beginning of the year around 80% of companies in Brazil had not yet fully adapted to the legislation.
Check out Portal Contábeis' interview with Mahyra Milani, a lawyer specializing in Privacy and Personal Data Protection at Barcellos Tucunduva Advogados (BTLAW).
To put this into context, why was the LGPD created?
The LGPD is a law that comes from a historical context in which privacy and the protection of personal data has been placed as a fundamental point for the progress of technology, along with the necessary protection of individuals' data.
In addition, Brazil's goal of having this type of legislation is one of the important points for joining the Organization for Economic Cooperation and Development (OECD).
There was already a relevant movement in which other personal data protection legislation was already being consolidated around the world, with the GDPR in the European Union standing out. As a result, the LGPD has become increasingly important in putting Brazil at an advantage in this regard.
How do you assess the impact of the LGPD in the five years since its implementation?
The LGPD is gradually taking effect. Over these five years, we have seen a very important movement, in which several companies have engaged in privacy, personal data protection and consequent information security, seeking to create and strengthen a privacy and data protection governance program.
Today, the LGPD is already the subject of several lawsuits (for example, in claims in the Special Civil Court and even in the Labor Court) and has already had its first administrative sanctions applied by the National Data Protection Authority - ANPD, the authority responsible for overseeing and regulating the LGPD.
The implementation of personal data protection measures by organizations, together with the application of this Law in legal claims, has a very positive impact for the holders of personal data processed by organizations, as well as for fostering this culture of personal data protection in Brazil.
Do you believe that the implementation of the LGPD has influenced the way companies collect, store and use users' personal data?
Certainly. With the LGPD in force, companies that process personal data have had to make a huge effort to comply with the obligations brought about by this law. It has been - and continues to be - essential for companies to invest in a mature privacy and personal data protection governance program, guaranteeing the application of security measures for such data.
Are there already cases of companies being fined or suffering consequences for data breaches?
Yes, recently the National Data Protection Authority (ANPD) imposed its first administrative sanctions on a company for violations of the LGPD. In addition, there have already been convictions in lawsuits that also involved this law.
And have citizens exercised their rights under the LGPD in the last five years? In other words, have they been more concerned about their personal data?
Citizens are increasingly understanding their rights under the LGPD and are gradually seeking out the organizations that process their data in order to better understand what is being done with it, and thus demand that these rights be enforced. For this reason, it is essential that companies maintain easy channels to assist data subjects, enabling them to exercise their rights.
Looking ahead, how do you think the GDPR will continue to evolve in the coming years? What areas might still need adjustment or further clarification?
The LGPD tends to be increasingly important for organizations, both private and public. As it is legislation that has implications for information security, and as we are in an increasingly digital context, having this culture of privacy and protection of personal data will always be fundamental.
As sanctions begin to be applied more and more, and as data subjects demand more of their rights, the LGPD will become more powerful. Companies whose activities are highly regulated, for example, such as the Securities and Exchange Commission (CVM), the Central Bank (BACEN) and so on, need to make a greater effort to also guarantee the protection of the data of the individuals they process.
Source: Accounting