On August 14, the General Personal Data Protection Law ("LGPD") completed four years of enactment, although it only came into force more than two years later, on September 18, 2020.
Unlike the General Data Protection Regulation - an analogous norm of the European Community that served as an inspiration for the national legislator -, which only consolidated the privacy and data protection rules of the member countries in force for at least 50 years, the LGPD is innovative for the legal system. Brazilian legal system, which until then did not contain specific rules for the processing of personal data.
The LGPD establishes principles, obligations and rights inherent to the protection of personal data, which, in line with the advances achieved in the digital age, was recognized by the Federal Supreme Court and granted the fundamental guarantee by Constitutional Amendment 115, of February this year, which included item LXXIX in article 5 of the Magna Carta.
Following the enactment of the LGPD, the National Data Protection Authority ("ANPD") was created, initially linked to the federal government and, since the enactment of Provisional Measure 1.124/22, transformed into an agency with agency functions, ensuring the same degree of administrative autonomy and technical independence enjoyed by bodies such as the Central Bank, the National Health Surveillance Agency - Anvisa and the National Telecommunications Agency - Anatel.
Furthermore, in August 2021, the twenty-three members of the National Council for Data Protection ("CNPD") were appointed, formally constituting the body that makes up the structure of the ANPD and serves as a mechanism for society's participation in the authority, with competence to, among other things, propose strategic guidelines and provide subsidies for the elaboration of the National Policy for the Protection of Personal Data and Privacy.
This normative and organizational microsystem put the subject in evidence, demanding from all companies the adequacy of their practices and, with this, significantly accelerating the process of acculturation of society about the importance of personal data as a legal asset that is part of the rights of the personality and in the face of the growing value of information.
Similar to what happened with the entry into force of the Consumer Protection Code - but much more quickly - the enactment of the LGPD has made the population aware of the processing of personal data by third parties, providing tools for the exercise of the right to your protection.
However, there is still a long way to go: in a survey carried out by Procon de São Paulo, between May and June 2021, with more than seven thousand people, although almost 90% of respondents said they know what personal data is , only 45% correctly defined the term and only 35% said they were familiar with the LGPD.
These data were confirmed by a survey carried out at the same time by the Brazilian Federation of Banks - FEBRABAN together with the Institute of Social, Political and Economic Research - IPESPE2, in which 60% of the interviewees claimed to know "just by hearing about it" or not knowing the GDPR
On the side of the controllers and operators of personal data, there was a concern to adopt measures aimed at adapting to the dictates of the law, not only due to fear of the heavy sanctions provided for in the LGPD, but also in view of the perception that respect for the rules of privacy and data protection represents a competitive advantage over the competition.
However, as in the case of holders of personal data, there is still much to be done: according to a study by RD Station from January to April 2021, with almost a thousand companies3, 30% had already started the process of adapting to the LGPD. Among large companies, the percentage was slightly higher, reaching 39%.
The result was corroborated by a study of the Capterra platform, carried out in June of last year with more than three hundred managers or coordinators of small and medium-sized companies4, of which only 37% considered them to be fully adequate to the LGPD.
As can be seen, there is also room for evolution at this point, given that the pace of adaptation should accelerate as soon as we have the disclosure, by the ANPD, of the long-awaited methodology for dosimetry of penalties, enabling the application of administrative sanctions, and the consequent start inspection procedures by the authority. On the other hand, a regulation is also awaited that limits the obligation of adequacy, establishing criteria for the exclusion of companies with a low volume of data processing.
On the international scene, LGPD has been promoting Brazil's alignment with the best practices for protecting personal data adopted around the world, thus contributing to the country's economic and technological development.
Finally, although we still have enormous challenges ahead, the advances in the last four years have been enormous and, despite the skeptical gaze of many when the LGPD was enacted, they have brought the certainty that privacy and the protection of personal data is a right who came to stay.
Therefore, for those who continue to bet that the LGPD "will not catch", just access the Violations Portal of the National Agency of Data Privacy Professionals5 and check the sanctions already applied by the Judiciary as a result of the violation of privacy and data protection. personal.
Finally, it is worth noting that Bill 2.076/2022 is in the process of being approved by the Federal Senate, so that August 14 is officially recognized as the "National Data Protection Day", favoring educational and awareness-raising actions on the subject. .
The General Personal Data Protection Law - LGPD came into force on September 18, 2020, with the publication of law 14.058/20. The law has been in effect partially since 2020, but the administrative sanctions were postponed until August 1, 2021, when it came into full force. Since then, Brazil has been part of a select group of countries that have a specific law related to the protection of data and privacy of citizens, and experts say that we have already made significant progress in the LGPD adequacy scenario.
One of the advances in adapting the LGPD by companies is the performance of the ANPD. Through Decree nº 10.474/2020, the Federal Government created the regimental structure of the National Data Protection Agency (ANPD), an organ of the Presidency of the Republic that has shown to be in tune with its purpose of promoting education, awareness and transparency on issues involving the protection of personal data.
The actions to adapt to the LGPD have created a new culture of privacy in the country, driven by the advance in the use of digital technologies, reflecting the understanding that personal data need to be valued as they deserve. The challenges faced are still similar to those that occur in other countries, but it already seems culturally that it is necessary to guarantee the protection of personal data, not only by complying with Federal Law, but also by valuing improvements such as reputation and credibility of companies.
There was also progress in the private sector, which is increasingly looking for events and training courses. Adaptation to the LGPD does not allow a standard applicable to all companies, as the LGPD does not dictate a ready recipe on how companies should proceed to adapt to issues involving the processing of personal data. This is because each business needs to be studied in its particularities, so that the best form of adaptation is found. This factor has also given rise to the need for technical debates on the instrumentation of the law, expanding the dialogue between the various business sectors.
Given this perception over these first years of adaptation to the LGPD, there is an understanding that the prospects for the protection of personal data in Brazil are good. However, continuous evolution is necessary to achieve a balance between protection of the rights of personal data subjects and economic and social development.
Get in touch with TATICCA – ALLINIAL GLOBAL, which has a qualified and experienced multidisciplinary team, tools and methodology for consulting on LGPD and also implementation, in an objective and assertive way, with: guidance and training, diagnosis, analysis of employee contracts, analysis of supplier contracts, analysis of internal policies, analysis of contracts for the provision of services or sale of products, adaptation of contracts in compliance with the LGPD, data mapping, implementation of the service channel, elaboration of a privacy policy, pre-formatted documentation with all the requirements of the LGPD.