LGPD: Information and awareness are essential to avoid penalties

The path to adoption of the Brazilian General Data Protection Regulation (in Portuguese, LGPD, Lei Geral de Proteção de Dados) has been a long one, permeated by doubts and uncertainties regarding its implementation and compliance with the guidelines that have transformed the processing of personal data in the country. The 2018 regulation entered into force in a staggered manner and, since August 2021, organizations operating in Brazil are subject to administrative sanctions as a result of non-compliance with the rules imposed.

Companies and public bodies that violate the law may receive warnings, fines, blocks, suspensions or limitations, partial or total, to the exercise of their activities – fines can reach 2% of revenue, with a limit of R$ 50 million per violation. The challenge for adapting is on the table and, although it is still too early to know the real impact that the penalties will have on the business environment in Brazil, data on the application of the GDPR – indicate what can happen locally.

For most European organizations, the two-year transition period was not sufficient to ensure compliance with the rules established by the GDPR. Only in its first year in force, fines in excess of €53 million were applied – the total amount of sanctions until September 2021 exceeded €1.2 billion. Among the most common offenses in Europe are the lack of a legal basis for data processing; lack of technical and organizational measures to ensure information security; and non-compliance with general data processing principles. The sectors that suffered the most from fines were Industry and Commerce; Media, Telecommunications and Broadcasting; and Public Services and Education. In November 2017, only 15% of companies in the region believed they would be in compliance with the law by May 2018, while 54% of them only gave importance to GDPR due to the number of fines applied.

This data shows how non-compliance with the law can have a real impact on an organization’s profit and functioning. Although on the European continent the punishment curve took about 12 months to increase – partly due to the regulatory authority’s adaptation phase –, we expect that in Brazil this time will be reduced by half, since we have already learned a lot from the European experience.

It is precisely because of this scenario that the work of the National Personal Data Protection Authority (in Portuguese, ANPD, Autoridade Nacional de Proteção de Dados Pessoais) becomes even more fundamental to guarantee the proper protection of the rights of freedom and privacy, having a direct impact on how companies and organizations will develop their strategies to adapt processes to the legislation.

While, on the one hand, LGPD brings a growth opportunity for companies – as the ethical use of data and the implementation of good practices can increase trust between customers and employees –, on the other hand, the regulatory pressure brought by the law will require considerable efforts for quality control in handling personal data and for increasing accountability in organizational cyber risk management measures in protecting such data.

Thus, the education and awareness of individuals dealing with personal data is of utmost importance – a survey carried out by the International Association of Privacy Professionals (IAAP) indicates that more than 70% of data breaches are caused by human error. Companies already have compliance practices, but they need to take an integrated journey, considering not only the business, but also the legislation. For the rules brought by the LGPD to be complied with, it is crucial to invest in data handling training. According to a Deloitte , although companies are investing in governance and data access management in the context of the LGPD, training people to deal with this data is still not a priority among the organizations interviewed.

In addition to the punishments for breaking the law, it is necessary to pay attention to the implications that go beyond economic sanctions. The impact on the brand perception of organizations that do not comply with LGPD can be even more harmful than the amount of fines and the damage done to the companies’ reputation in the market is difficult to measure.

Compliance with LGPD rules will be essential to maintain the financial health of the business, and companies that do their homework, adopting best practices and implementing processes that mitigate risks, will see an increase in their confidence and market performance indexes.

Pillars of awareness in privacy training

One of the ways to minimize the volume of fines and sanctions resulting from LGPD violations is to implement an awareness and training program for employees and third parties who deal with data daily. The IAPP has drafted a six step plan to assist in planning such a training program.

Establish a common understanding of privacy: Companies and organizations need to provide their employees and third parties with a common definition of privacy when processing of the personal information. This definition should be an integral part of awareness training on the topic, ensuring that information is collected, processed and protected in a uniform and consistent manner.

Consider human error: Often, when trying to determine the cause of an error, it is not uncommon to hear that the person involved did not know of a policy or procedure that defines the proper use of personal information. Instituting a training culture that reinforces the policies and procedures adopted will encourage people to process information properly.

Consider privacy from the start: When creating new processes, it is important to collect all information usage requirements in the early stages of any project, as well as include a privacy expert in discussions from conception to delivery

Improve customer interactions: Staff trained in the company’s privacy policies have better relationships with customers by knowing what data is important to collect and what information is not necessary.

Expand the work of the privacy department: Privacy professionals are generally a scarce resource in most organizations. Consider a training plan that prepares your workforce to be knowledgeable enough to address some issues independently.

Change the debate: These types of training aim to change the debate around privacy issues, making the considerations around the topic no longer late and become key points of discussion, enabling people to act, increasingly, as protagonists in making intelligent decisions that ensure the protection of sensitive information.

Discover Deloitte Cyber’s solutions and how we can support your company on the journey of adaptation to the LGPD