Lgpd comes into force: how do you adapt?

The so-called General Data Protection Law (LGPD) has been in force since September 18, 2020. As a result, companies that have not yet adapted to the new rules need to implement the necessary changes as soon as possible. This is because penalties for non-compliance with the law will start to be implemented from 2021.

For those who aren't sure where to start, we've prepared this guide with everything you need to know about the LGPD and its impacts. That way, your company can start next year without worrying about any kind of legal sanction. Follow along.

About the General Data Protection Act

The General Data Protection Law (LGPD) came into force in September 2020. This two-year "window" between its approval and entry into force served as a transition period for companies to adapt to the new rules. As a result, those who are not even aware of what the LGPD is and its effects are somewhat behind the times.

The good news is that there is still time to "catch up" and reorganize your business operations to comply with the law. To begin with, let's take a brief look at what the LGPD is.

The General Data Protection Law regulates the terms under which user data can be collected, processed and shared. A more transparent standard for the management of this information is now in force, so that citizens have greater security that their personal data will be used for purposes previously agreed with companies.

Until then, we lived in a scenario of total lack of regulation, with user information being reproduced and stored without any kind of consent or security parameter, which left room for a series of problems. However, since the LGPD came into force, it has been established that:

When can data be processed?

I - through the provision of consent by the holder;

II - for compliance with a legal or regulatory obligation by the controlling shareholder;

III - by the public administration, for the processing and shared use of data necessary for the execution of public policies provided for in laws and regulations or supported by contracts, agreements or similar instruments, [...]

IV - for studies to be carried out by a research body, guaranteeing, whenever possible, the anonymization of personal data;

V - when necessary for the performance of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject;

VI - for the regular exercise of rights in judicial, administrative or arbitration proceedings, the latter under the terms of the Law No. 9.307, of September 23, 1996 (Arbitration Law) ;

VII - for the protection of the life or physical safety of the holder or a third party;

VIII - for the protection of health, in procedures carried out by health professionals or health entities;

VIII - for the protection of health, exclusively in procedures carried out by health professionals, health services or health authorities;

Applications of the LGPD

The General Data Protection Act has implications for all sectors of the economy. Basically, from now on, you need to state the reason for requesting data from your customers and potential customers, assigning the correct classification to this data, which is divided into:

Personal data - information capable of identifying a person, such as ID numbers, CPF numbers, name and address.

Sensitive data - information related to more specific attributes of a person, such as ethnic/racial origin, political positions, religious convictions, sexual orientation and the like.

Another important concept is data processing:

Data processing: any action involving personal data, from the moment the data is collected until the moment it is deleted, is considered to be "processing"

Having made these distinctions, let's look at some critical events that deserve attention.

Acquisition of data without consent

Even before the LGPD was passed, acquiring lists of leads was already an ethically inappropriate practice. Now it's a crime.

Therefore, under no circumstances should your company's commercial department share or receive user data without the proper consent of those involved.

Data from a market survey carried out a few years ago, for example, cannot be used in any other way. In this case, using anyone's personal data for a simple commercial contact is already illegal.

Communicating with your lead base

Suppose you already have a contact base of customers and potential customers with whom you communicate regularly via different relationship channels, such as e-mail and WhatsApp.

According to the LGPD, this contact must be demonstrably necessary for the operation of the company, which does not include marketing actions.

Data collection

Just like communication, data collection must be duly justified. In this way, the data requested, whether classified as personal or sensitive, must be considered strictly necessary for the operation of the company.

As a result, all forms in circulation addressed to your company's public must be revised to comply with legal requirements.

Types of consent

More than just knowing what to avoid, it is important to be aware of some of the concepts in the law so as not to fall foul of the law and to have a broader understanding of how to handle your customers' data. Let's look at some clarifications in this regard.

According to the law, consent is defined as a clear and unequivocal statement of will. In practice, it is necessary to be clear and objective about the purposes of data use so that the user agrees or not.

From this perspective, consent, according to the provisions of the LGPD, must have the following attributes;

Examples of consent: 

• Consent must be freeconsent cannot be "forced" or induced, but rather a choice. Therefore, if a company inserts a consent checkbox on a form, it means that they do not have the option of accepting or rejecting the proposed terms.

• Consent must be clear: Users must understand what they are consenting to. In other words, organizations must clearly describe all the terms of the consent request. Including information in a dense or difficult to understand privacy policy will not be enough to confirm acceptance of the terms.

• Consent must be unequivocalIt depends on a positive act by the user. In other words, there must be an action by the user indicating their acceptance, either by sending an e-mail, an electronic signature, or even by clicking on a specific place.

• You have to be specific about the object of consentTherefore, the company can never use the data collected for a purpose not specified in the consent form.

Faced with so many requirements, some people may be wondering: is consent strictly necessary to contact the lead?

Not necessarily, because we have what is known in law as legitimate interest and contracts. This provision legitimizes commercial contact made in a reasonable manner.

Download Spreadsheet: Simple Tax Calculation.

Understand what users' rights are under the LGPD

LGPD rights and obligations:

• Confirmation of the existence of the treatment;
• Access to data;
• Correction of incomplete, inaccurate or outdated data
• Anonymization, blocking or deletion of data that is unnecessary, excessive or processed in breach of the LGPD;
• Portability of data to another service or product provider, upon express request, in accordance with the regulations of the national authority, observing commercial and industrial secrets;
• Deletion of personal data processed with the consent of the data subject;
• Information on public and private entities with which the controller has shared data;
• The right to information about the possibility of not giving consent, and therefore about the consequences of refusing;
• Revocation of consent.

Conclusion:

In conclusion, as we have pointed out, any non-compliance can lead to penalties of various kinds, exposing your business to completely avoidable legal risks.