Our partner Bruno Ferola, wrote an article about the importance of risk management in
process of implementing company policies such as LGPD. For that, it brought cases
practices where through the decisions that caused the non-fulfillment of the rights of the
holders, for not having practices of Compliance and good management, generated financial losses and
reputation for companies and their employees.
In addition, it mentions some possible paths to LGPD compliance.
Non-compliant attitudes under the LGPD
I – Introduction
We live in a transformational era in which: (i) consumers increasingly have a sense of power in consumer relationships; (ii) employees are beginning to gain a voice and companies are beginning to meet the demands for well-being and transparency of their employees; (iii) various applications and tools are created that give users more autonomy and; (iv) companies use people’s data for profile mapping and revenue growth.
In view of this complex and sensitive scenario, there was a need to create regulations to ensure more security regarding these relationships, clarifying practices in the treatment of personal data, expanding and ensuring rights to all holders.
In Brazil, the General Data Protection Law (LGPD), sanctioned in 2018 by former president Michel Temer and scheduled to enter into force in August 2020, sought to list these rights in its Art. 18, specifying how and what would be the deadlines for data subjects to request information about their data from companies and third parties, such as: (i) confirmation that the company/third party has their data and, consequently, access to which data has; (ii) correction of incorrect, incomplete and outdated data; (iii) restriction on data processing; (iv) deletion of unnecessary data for the provision of the service; (v) portability in case of switching from one provider to another, among others.
The list of rights of holders should provide more transparency and integrity in relation to the treatment of data, offering more security, not only to users, but also to the entire environment in consumer relations.
On the other hand, if there is no implementation of appropriate policies by those who control the data of the holders, unprecedented financial and reputation losses may occur, as in Europe, where the GDPR (General Data Protection Regulation) is applied, a regulation that served basis for the LGPD and which has been in force for almost two years with several cases of financial sanctions and damage to the image of companies involved in data privacy violations.
II – Cases
One of the most recent cases of sanction application due to non-compliance with a data subject’s request for access to their data occurred in Belgium, in which the Belgian Data Protection Authority (DPA) imposed a fine in the amount of €2,000 (R$9,300) to a non-profit association¹ that provides specialized nursing care. From this case, in which we observed only a single holder, it is possible to imagine what would happen if thousands of customers requested information.
There are still doubts about the applicability and effectiveness of the new LGPD in Brazil. However, some jurists, such as STJ Minister Paulo de Tarso Sanseverino², argue that there will be a new demand in the judiciary, similar to the number of Crédit Scoring consultations (over 200,000 actions).
In this sense, one can add the poor service and the lack of resolution of the customers’ problems through extrajudicial means, as well as the lack of compliance of the companies, with the new law, a favorable scenario for indemnification claims to be processed through judicial or extrajudicial
The latest CNJ surveys indicate almost eighty million lawsuits are pending in the country³, and, according to a Gartner consulting survey, about 70% of companies will not yet be prepared to meet the LGPD requirements in August 2020.4
A practical example of this possible new reality is the application “We Are David”5, which collected the e-mails of Data Protection Officers (DPOs) from all large companies in Europe, allowing users to send messages to this person in charge to request information about your data.
III – From the legal exposed
According to Art. 19, item II, of the LGPD, the company/third party must provide the requested information within 15 days, being, therefore, half of the minimum deadline for response in Europe and a third of the minimum deadline in California, as examples.
In view of the above, it is evident the increase in the power and the feeling of security of the holders in relation to their data, the imposition of limits and the consequent decrease in the informality of companies and third parties in the treatment of this data.
When social networks enhance the repercussion of good and bad news, creating a scenario of frequent spectacle, consumers begin to react more intensely to the various events.
In this context, complying with the laws, meeting the rules for the protection and privacy of consumers’ personal data is extremely necessary. Companies must take this moment seriously, implementing compliance and good management practices to reduce financial and reputational risks.
IV – Compliance recommendations
On the other hand, compliance actions in relation to the LGPD go far beyond the practices within each institution, but also throughout society, such as when exposing yourself in the web environment, it is important to stick to some tips6:
A) Choosing the ideal environment:
It is important to be aware of the physical environment within your home in which you will participate in the meeting. Choose a place that doesn’t have a lot of traffic and, if possible, close the door.
B) Attention to Behavior:
The meeting may be taking place via video conference and you may be inside your home, however it is important that you maintain etiquette and behavior exactly as if you were in the office.
So, dress as expected, keep the microphone off if you are not going to speak, and pay attention to punctuality, as it is a fundamental factor for the success of your meeting.
C) Use reliable and, if possible, encrypted tools
There are several tools that enable an online meeting. Search all available tools and see the one that best suits your meeting needs. Choose for the entire company to use the same tool, so that the use is uniform and everyone knows how to use it properly.
D) Information security policies and standards:
Information leakage is something that is increasingly worrying companies and during the home office, this risk increases, so keep up to date on safety standards to prevent leaks from occurring.
E) Do not record meetings:
It is essential that the public be advised whether or not recording of meetings is permitted. During video conferences, valuable information about the company, employees, business secrets and more information assets essential to the life of the company can be exposed.
F) Each user must use a login:
Do not share your email and password with ANYONE. This is a key measure that ensures that only employees who need that information will access the meeting and the information made available.
Beware of sharing cell phones and notebooks, for example, which may contain saved login and password data.
G) Pay attention to the permissions granted to applications:
You should pay close attention to the permissions you grant to apps, especially when downloaded on mobile. Be suspicious of intrusive permissions and check the data to which the app requires access to work, which should only be related to the functioning of the camera and microphone of the mobile device.
H) Disable pop-up notifications when sharing the screen:
When sharing your computer or cell phone screen during video calls, it is important to disable pop-up notifications from emails, social networks and messaging apps. Messages may address private matters not needed for the meeting.
I) Send the call invitation only to trusted emails:
Do not share video call invitation links on social media, prefer to forward them privately using the email address of the meeting participants. Sharing the invitation URL can attract strangers and cybercriminals to the video call, compromising participant information
J) Update the antivirus:
Antivirus is a basic and essential security program to have on your computer. In addition to protecting the machine and systems against viruses and malware, it can also prevent crashes and computer slowdowns. Even though it incurs cost, it is a powerful resource against cyber attacks
V – Conclusion
Thus, non-conforming attitudes such as: (i) leakage of Nudes (intimate photos and videos); (ii) Sharing confidential data via Whatssap or personal email; (iii) Participation in professional meetings in public environments or with unrelated people or with an insecure wi-fi network; (iv) Criminal interaction with minors; (v) Dissemination of fake news “fake news” and (vi) Hate speech and inappropriate behavior vs. Freedom of Expression, can be avoided with the use of simple and objective rules on the LGPD.
Finally, the LGPD comes to contribute to the evolution of society in terms of privacy and data protection, and should in no way be an impediment to the development of an institution. Quite the opposite. By using many of the compliance actions exposed by the law, such as the creation of regulations and training, institutions can have their internal controls high and contribute to society, through their employees, for a safer and correct use of the online environment.
[6] Guia de boas práticas em reuniões online – P&B Compliance
Search sources:
Estamos trancados num paiol de pólvora: LGPD, ANPD e demandismo
https://ec.europa.eu/info/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules/eu-data-protection-rules_en
