Some impacts of the LGPD on companies are already seen and proven, requiring changes in policies, processes, technologies, and organizational culture The LGPD - General Personal Data Protection Law came into force in August 2020 and dictates the regulation on the processing of Personal Data and Sensitive Personal Data at the national level, as well as the international transfer of Personal Data and Sensitive Personal Data collected in Brazil, with natural and legal persons subject to supervision ever since. Since Personal Data is related to an identified or identifiable natural person (Article 5, I, of Law 13,709/2018), while Sensitive Data (Article 5, II, of Law 13,709/2018) is information that can be used in a discriminatory manner and, therefore, requires special protection. With regard to children's personal data, the LGPD dictates that the specific consent of at least one parent or legal guardian is necessary (art. 14, paragraph 1).
Before commenting on the impacts of the LGPD on companies, it is important to remember that LGPD
The application of the LGPD is extraterritorial, since its incidence is not restricted to persons domiciled or established in Brazil. The following cases are considered: 1) if the data processing operation is carried out in the national territory and 2) if the personal data was collected in the national territory.
With the exception of cases of personal data processing excluded from the scope of the LGPD (art. 4), the law has effects on any natural or legal person, governed by public or private law, who carries out a personal data processing operation, by physical or digital means. This means that the duty of compliance must be observed by everyone who, although located outside the national territory, offers goods or services to the Brazilian consumer market or collects and processes data from people located in the country.
LGPD — PRINCIPLES AND LEGAL BASES The main objective of the LGPD, which directly affects the impacts of the LGPD on companies, is to ensure transparency in the use of personal data, since its parameters are privacy and the protection of personal data. It is important to understand what is considered personal data. Before, when registering purchases, for example, individuals had to provide a series of personal data, which were often not even used for the purchase itself. However, they were later marketed without authorization, when they should be treated confidentially. With the LGPD, the data subject explicitly authorizes the disclosure of their data, and companies that ignore consent are subject to a fine.
The basis of LGPD
The LGPD arrived to amend Law No. 12,965 of April 23, 2014, popularly called the Internet Civil Framework, which regulated these transactions until then. And it is based on GDPR
According to the LGPD, the following principles must be observed when processing personal data: Purpose, Adequacy, Necessity, Free Access, Data Quality, Transparency, Security, Prevention, Non-Discrimination, Accountability. Faced with this new scenario, which is the entry into force of the LGPD, a major challenge comes for companies, which must review their data governance and privacy processes. It will be essential to make a mapping detailing how personal data is treated and its entire life cycle within the company, that is, where it goes, where it is stored, who has access and whether it is shared with third parties. Based on this analysis, it is possible to assess the level of maturity of the processes within the company, as well as the risks involved. Only then, with the deficiencies detected, do the procedures begin to transform the data transaction into a secure transaction, in accordance with the principles of the LGPD.
SOME IMPACTS OF THE IMPLEMENTATION OF THE LGPD When talking about the impacts of the LGPD on companies, we can start with the implementation. The implementation of the LGPD had a major impact on business relations, both commercial and consumer, which require data collection, especially in the current trend of data processing for the purpose of drawing consumer profiles. Companies that collect user data must comply with the requirements of the LGPD, especially in relation to the express consent of users regarding the collection, processing of data, purpose and possible transfer of their data to third parties.
Labor relations have also undergone significant changes, as the employer holds personal information of its employees. Although the LGPD authorizes companies to use the personal data of their employees and service providers (art. 7, V and IX) for the legitimate execution of contracts, for the benefit of the worker himself, attention and caution are necessary to the rules of the LGPD in all its phases. In cases of outsourcing services, it is also necessary to obtain the employee's written consent before processing your data, especially before transmitting them to third parties. In addition to the employee's consent, it is also recommended that companies create specific obligations in their business contracts, in accordance with the requirements imposed by the LGPD on data processing.
Data subjects may rectify, cancel or even request their deletion at any time. A LGPD
The ANDP (National Data Protection Authority), created based on MP 869/18
SOME LEGAL ASPECTS ABOUT SENSITIVE DATA IN THE LGPD In the scenario of the impacts of the LGPD on companies, it is important to define the types of data in order to exercise their effective protection. Under the law, personal data is subdivided into anonymous and sensitive data, allowing the holder affected by misconduct to have recourse to the judicial system.
Sensitive data in the context of the LGPD are personal data related to racial, ethnic origin, political orientation, sexual orientation, religious convictions, genetic data, medical history, and others that have a clear potential for social discrimination and therefore deserve legal protection. In other words, sensitive data are those that are capable of triggering discriminatory acts against the owner, giving him maximum legislative protection.
In accordance with Art. 11, items I and II of the LGPD, the processing of these data can only be carried out when:
I - the owner or his legal guardian consents, in a specific and prominent manner, for specific purposes;
II — without providing consent from the holder, in cases where it is indispensable for: a) compliance with a legal or regulatory obligation by the controller; b) shared processing of data necessary for the execution, by the public administration, of public policies provided for in laws or regulations; c) carrying out studies by a research body, guaranteeing, whenever possible, the anonymization of sensitive personal data; d) regular exercise of rights, including in contracts and in judicial, administrative and arbitral proceedings, the latter under the terms of Law No. 9,307 of September 23, 1996 (Arbitration Act); e) protection of the life or physical safety of the holder or third party; f) protection of health, exclusively, in a procedure carried out by health professionals, health services or health authorities; g) guarantee of fraud prevention and the security of the holder, in the identification and authentication processes of registration in electronic systems, protected by the rights mentioned in art. 9 of this Law and unless fundamental rights and freedoms of the holder that require the protection of personal data prevail.
With regard to underage data subjects, the processing of sensitive data must contain the express authorization of a parent or legal guardian. However, Art. 11 of the LGPD also makes an exception to consent in urgent or emergency cases.
SOME IMPACTS OF THE LGPD ON HUMAN RESOURCES In Human Resources, the impacts of the LGPD on companies were also observed, because with the acceleration of digitalization in various business sectors, including HR, many companies are impacted by the LGPD. One of the bases of the Human Resources department's work routine is the data of the company's employees, which are used for various purposes, such as monitoring the organizational climate, career and management plans. Adequate to LGPD
Human Resources departments that were already computerizing processes quickly sought to meet the new requirements of the LGPD, adapting their data collection, treatment, and storage processes, in accordance with the rules established by law.
There is a large concentration of information collected daily in HR management processes, whether in hiring, dismissals, and internal processes. Professional history, salary levels, contact information, identification documents, working hours. In addition to this important information, HR professionals also have access to data considered sensitive by the LGPD, such as medical records, family information, address, date of birth, dependents, and others. Data that, if not stored securely, can be stolen by hackers. For this reason, it is essential that companies exercise the utmost caution with the processes that involve the processing of this data, thus ensuring the security of employee information and meeting the requirements of the LGPD.
Although companies are authorized by the LGPD to use employees' personal data for management processes, these processes must be adequate to avoid sanctions. One of the adjustments requires the employee to sign a declaration of consent, indicating the purpose of the data collected, which is limited to essential information for the company's activities, and for how long it will be stored in the company. Therefore, it is necessary to assess the real need to request sensitive information such as gender, marital status, sexual orientation, among other information irrelevant to the activity that will be carried out.
The LGPD directly changes the routine of organizations, especially the HR sector that deals with employee data in their daily practices, which is why it is important to know and understand the impacts of the LGPD on HR, as well as the adaptation to the new scenario imposed by law.
In short, the impacts of the LGPD on companies are already seen and proven, requiring changes in policies, processes, technologies, and organizational culture to ensure adequate protection of personal data and compliance with the law. Review and adaptation of privacy policies, changes in data collection and consent processes, investments in information security, impact on contractual relationships, and changes in organizational culture are some of the aspects of greater attention with compliance with the LGPD.
Get in touch with TATICCA Allinial Global Brazil , which has a qualified and experienced multidisciplinary team, tools and methodology to implement the LGPD in an objective and assertive manner, with: guidance and training, diagnosis, analysis of employee contracts, analysis of supplier contracts, analysis of internal policies, analysis of contracts for the provision of service or sale of products, adaptation of contracts in accordance with the LGPD, data mapping, implementation of the service channel, drafting of a privacy policy, pre-formatted documentation with all the requirements of the LGPD.
