Lei Geral de Proteção de Dados - Porquê sua empresa deve se preparar

Approved in August 2018, the Brazilian General Data Protection Law (Law No. 13.709/2018) requires both governments and companies to request authorization to store personal information and disclose what will be done with that data. One of the objectives of this law is to standardize and make the often-ignored terms of use easier to understand. The law contains more than 170 amendments, and therefore, the government sent a Provisional Measure to Congress to make some changes. A joint committee will analyze the MP, which will then go to a vote in the Chamber of Deputies and the Senate. 8 Points You Need to Know We have listed eight key pieces of information you need to know about the new law, so you can adapt and prepare for this new reality: 1- When does it take effect? The law comes into effect on August 16, 2020; 2- Who needs to adjust? Legal entities that collect data from Brazilian citizens need to adapt, as well as any type of company, headquartered anywhere in the world, that targets products and services to people in Brazil; 3- How much time to adapt? Companies that start the adaptation process in mid-2019 will already be at risk of missing the deadline, since a good compliance project takes about 9 months to complete; 4- Who is responsible for this? Companies will need to have a specific professional to handle this, with a role similar to "data protection officer" or DPO professional; 5- Whose data is covered by this law? The rules will apply to the processing of data from employees, customers, suppliers, and third parties; 6- What are the special considerations? Data considered extremely personal, which could potentially be used by the company, such as religious beliefs, political positions, health conditions and sexual life, as well as biometric collection, will require specific treatment. 7- Which bodies will oversee it? The National Data Authority, which is in the creation phase, as well as the Federal and State Public Prosecutors' Offices, bodies like Procon, and agencies such as ANAC, ANVISA, ANS, CVM, among others. 8- What is the penalty for non-compliance with the law? Supervisory bodies may apply fines of up to 2% of the company's revenue; the fine amount should not exceed R$ 50 million. Who is the DPO Professional? The DPO professional - from the English term 'Data Protection Officer' - is a specialist responsible for managing the entire flow of information in any company, from its collection to its processing. Additionally, it will serve as a liaison between the company and the future National Data Authority. Lawyer Renato Blum, coordinator of the Data Protection course at Insper, stated that the first step is to hire specialized professionals to set up a compliance plan. Their training should be interdisciplinary, encompassing knowledge of the new legislation, information security, and governance of the personal data base. Furthermore, it is important that they have an easy rapport with other areas and can act as a spokesperson for the organization before government authorities and data subjects, especially if they need to report incidents and problems regarding personal data breaches. "The trend is for the 'DPO' role to be linked to the data area, but this definition depends on each company's structure. This professional will have an internal oversight function and may also act as the company's spokesperson," concludes the lawyer. Source: UOL Economia