The General Data Protection Act — LGPD, which has been in force since September 2020, brings rights to personal data subjects and duties to data processing agents, whether they are controllers or operators. And contrary to the understanding of many leaders, complying with the Law is much more than just changing the company's privacy policy. Adequacy involves the entire development of a culture of privacy in business processes, in addition to a governance program that reviews the privacy management system, also considering actions and postures related to the topic.
To understand how to start the implementation process, some key points need to be observed, starting with an in-depth study of LGPD and laws in general that regulate your business. Then, a mapping of the entry and processing of personal data, as well as the risks of the treatment, must be carried out. At this stage, it must be made clear that the appropriateness to LGPD involves not only the area of technology and information security, but also the areas related to legal, compliance and human resources.
Already in the organization phase, action plans and mechanisms necessary to support privacy and comply with LGPD are established. An impact report must be prepared to then proceed with the creation of the data protection policy and adaptation of internal and external documents. After training the teams that handle personal data, the governance phase manages requests from the owners and bodies, involving data, risk analysis, and other related actions. The purpose of the assessment is always to verify the regulations applied to the business area, identifying the impact of privacy. An important point during the adjustment is to establish a matrix of responsibilities for data protection and privacy.
Finally, arriving at the improvement and continuous review phases, the company will review the controls and will oversee the maintenance of the program being implemented to adapt to LGPD. At this stage, it is recommended to appoint a data protection officer, also called a Data Protection Officer (DPO), who will carry out activities such as advising employees and outsourced employees of the company regarding applied practices, providing clarification, centralizing the receipt of national communications regarding LGPD and take appropriate measures, as well as receive complaints and communications from the owners. For this reason, it is recommended that the DPO have complementary knowledge, such as processes and legal areas, in their competencies. The DPO, with the assistance of a Data Protection Committee, is also responsible for coordinating updates and monitoring the system, following its evolution.
The constitution of a Data Protection Committee, as well as the appointment of a DPO, are considered priorities in the implementation of LGPD in the company, as well as the action plan and the review of current privacy policies. Depending on the business segment, other activities are also listed as priorities, but it is important to make progress in these first adjustment actions, considering that LGPD is already in effect and penalties may apply.
Adapting is necessary and the implementation of the policies of LGPD they should not be seen only as a mandatory routine, but as an opportunity to change culture, generating solid values with regard to data protection.
Contact TATICCA — ALLINIAL GLOBAL, which has a qualified and experienced multidisciplinary team, tools and methodology to implement LGPD in an objective and assertive manner, with: guidance and training, diagnosis, analysis of employee contracts, analysis of supplier contracts, analysis of internal policies, analysis of contracts for the provision of service or sale of products, adaptation of contracts in accordance with LGPD, data mapping, implementation of the service channel, drafting of a privacy policy, pre-formatted documentation with all the requirements of LGPD.
