News that will impact your business

General Data Protection Law (1)

New regulation sets standards on information privacy management and cybersecurity.

The General Data Protection Law (GDPL) establishes rules for handling and sharing personal data by companies. The regulation covers Brazilian organizations, in addition to foreign companies that offer services involving the use of personal data in the national territory. With the enactment of the GDPL in August 2018, companies have up to 18 months to comply with the new rules. Failure to comply with the law entails the imposition of fines that may amount to 2% of the organization’s revenues, with a limit of R$ 50 million per violation.

The new regulation requires organizations to pay particular attention to cybersecurity, with the development of a clear privacy policy aligned with the company’s goals and reality. This involves promoting a robust framework with well-defined roles and responsibilities both to deal with the requirements of the law and to organize responses to any incidents in the digital environment.

Organizations that can establish a strategic approach to the changes brought by the GDPL can leverage the use of such data as a competitive advantage. The adoption of good practices and the attainment of market confidence are fundamental in this process.

With the GDPL, companies have the possibility to increase the confidence level of their stakeholders and gain in competitiveness as long as they demonstrate compliance and accountability for the rules in place., Rogério Dabul, Deloitte's Risk Advisory and Cyber Risks Services partner.

General Data Protection Law (2)

The new legislation provides an important tool to guide organizations through innovative business models.

Enacted in August 2018, the General Data Protection Law (GDPL) deals with the imposition of barriers to the indiscriminate use of data by organizations that promote services involving the utilization of personal information in the national territory. The new rules have a direct impact on the telecommunications and other industries, as Marcia Ogawa, Deloitte’s lead partner for the Technology, Media and Telecommunications industry, puts Brazil, according to her, on the heels of other digital economies, heavily wedded in data science.

In today’s world of knowledge and information, “data represent a fundamental raw material for the production of a country’s wealth. With the regulation’s sanction, Brazilian organizations will have the legal security necessary to continue their digital journey and expand the use of technologies such as the Internet of Things in a conscious and ethical way”, as Marcia evaluates.

In addition to making the necessary changes to meet GDPL requirements, companies should see the new regulation as a tool to drive their operations, creating intelligent ways to use the information obtained through their digital ecosystem, with business models that value security and privacy of individuals and legal entities. Only then, Brazil will effectively enter the Digital Economy.

The GDPL helps to foster an environment conducive to the emergence of companies that use information in an intelligent and innovative way. Organizations should take this opportunity to leverage their market presence in the Digital Economy., Marcia Ogawa, Deloitte's lead partner for Technology, Media and Telecommunications.

France reinforces global anti-corruption fight

French organizations operating in Brazil must anticipate the inspections and adapt their compliance programs to meet the requirements of Sapin II Law.

In recent years, there has been an exponential regulatory change in corporate integrity and ethics practices. In this context, France has aligned itself with the most rigorous international legislation by promulgating the so-called Sapin II Law. The law aims to promote three pillars – enhancing transparency, fighting corruption and modernizing the economy for a more transparent economy – and goes a step further by including private corruption in the issues that must be addressed by companies. In Brazil, for example, the law that defines the crime of corruption in the private sector is still in progress at the National Congress, through amendments to Law 9,279/96.

Another central point of the Sapin II Law is the creation of the French Anti-Corruption Agency (AFA), the authority responsible for overseeing compliance with legislation and defining the relevant measures and sanctions. Although recent, the Agency already has an agenda of more than 50 controls for this year alone. Any organization whose head office is in France with a consolidated revenue of more than €100 million and with more than 500 employees is subject to the new law.

The AFA has shown great concern to consolidate its position as a world reference in the fight against corruption and French companies should present evidence of a robust global program when inspected. In a second step, the agency will conduct controls in the foreign branches of French companies.

This scenario presents a new challenge for French organizations operating in Brazil in improving the corporate governance structure, risk management and internal controls, since they must be ready to meet an assessment of their head offices. Organizations need to examine the degree of maturity of existing initiatives and assess the level of risk exposure for their business. “These two points are essential for guaranteeing and verifying compliance with the requirements of the Sapin II Law in an eventual inspection from the AFA, in the country or via a French head-office”, says José Paulo Rocha, Deloitte’s partner in the Financial Advisory area and specialist in Forensic Services.

The main challenge for French companies operating in Brazil is to confront and adapt existing controls to the obligations imposed by the new law. They must seize this moment to make their anti-corruption programs even more robust., José Paulo Rocha, Deloitte’s partner in the Financial Advisory area and specialist in the Forensic Services.

New cybersecurity requirements for banks

Central Bank of Brazil makes policy and incident-response plan mandatory and requires stronger governance for hiring technology services.

With the progressive evolution of technology and digital transformation in the banking sector, financial institutions also face emerging cybersecurity issues. Attentive to this issue, the Central Bank of Brazil (Bacen) promulgated Resolution No. 4,658/2018, which establishes the obligation of financial sector organizations to adopt a cybersecurity policy and an action and incident response plan, as well as greater control and governance in hiring and outsourcing relevant technology services.

In practice, banks have to develop and disseminate cybersecurity policies and procedures for employees, service providers and the general public. Another requirement of the standard is the preparation of an action plan with routines, procedures, controls and technologies to be used in incident prevention and response – which includes performing attack simulation exercises to improve and update business plans.

Regarding third party management, it will be necessary to revise contracts and adopt measures for risk management while hiring relevant data processing and storage services and cloud computing services.

With the deadline for the presentation of the adequacy plan ending in October, financial institutions have until May 6, 2019 to prepare and approve the cybersecurity policy.

The higher dependency of the financial sector regarding technology services – with a growing number of hires and partnerships – demands for more maturity in cyber-risk management. Both banks, of every size, and fintechs will have to do their homework on this matter., Rodrigo Mendes, Deloitte's Risk Advisory partner.