The LGPD and the Data Privacy Professional

The world was already migrating to a digital revolution, where adaptation to new consumption parameters, interaction with data analysis were necessary, within a corporate Darwinism perspective (whoever adapts survives). In this context, the COVID-19 pandemic was a catalyst for this process of transformation of human behavior, by creating new patterns of relationships, whether in the private sphere or in the work environment. Interactions and communications via apps and platforms are the norm today, giving rise to an abundance of amenities and concerns (inherent in the former).

Data privacy is today, without a doubt, the main source of concern in the world of regulatory compliance. Data has a lot of value and there are no leading companies that do not properly analyze this data to optimize resources and maximize results. This gives rise to a new reading of human behavioral science in conjunction with prescriptive data analysis, which aim to predict how the individual (owner of this data) will act. All this within a technical rigor that seeks the smallest margin of error possible, within a percentile of accuracy above 95%.

DATA and 5 V's

The valuation of data takes place within the concept of 5 V's: Volume, Variety, Veracity, Velocity and Value.

Volume refers to Big Data, data lakes and other inexhaustible sources of information about a multitude of individuals. In this aspect of data analysis, size is document. The greater the volume of data, the greater exploration potential there is.

Variety refers to the fullness of angles of approach of each data subject, thus having a holistic view of this individual. This allows a complete approach in reading their characteristics and behavior patterns. If volume is a quantitative measurement, the variety and veracity of data are qualitative rulers.

Veracity refers to the accuracy of the data collected. The more reliable the data, the more value it will have, because the more assertive the interpretation of the conclusions resulting from its processing will be. There is no point in having volume without variety and veracity.

Speed ​​refers to how quickly data can be processed. According to Moore's Law of 1965 processing power increases exponentially from time to time. Through a concept established by Gordon Earl Moore, this law stated that the processing power of computers (understand computers as computing in general, not home computers) would double every 18 months. Today, this possibility of expansion in geometric progression in the binary pattern of processing is already saturated. On the other hand, with the advent of quantum computing, data processing speed will enter a new level where the sky will be the limit!

The Value is nothing more than the sum of the 4 V's that precede it. Adding value is the mantra of the digital economy, as it weighs favorably on the delta between return on investment versus operating costs. Successful companies compete on value, not price.

Concerns with Data Analysis

Privacy is very important to customers, associates and the whole range of data subjects. Consumers have become increasingly connected and are constantly sharing information online. They are researching, buying and using products and services online, across a multitude of connected devices. They are also choosing to share their preferences as part of interactions on social media and search engines. All of this customer data is being collected by device manufacturers, desktop and mobile application manufacturers, internet providers and telephone operators for their own purposes or to sell to other companies.

In many cases, consumers are happy to share information like photos, opinions and locations through Instagram, LinkedIn, Facebook, Snapchat and Twitter. On the other hand, when it comes to other, often highly personal, aspects of their lives – health, wealth and family – these consumers are more protective and averse to intrusion.

In the US, according to a recent survey conducted by the company AnchorFree, a surprising majority of Americans - 95% - are concerned about companies that collect and sell personal information without permission. In addition, more than 80 percent are more concerned about their privacy and security online today than they were in 2019. In Brazil, the scenario is not much different.

This means that customers are thinking about privacy when they visit a website, use an application or consume products and services. The question is, what are we doing to demonstrate to customers that their privacy is important to your business or entity?

Privacy is important to your brand. Most companies today are connected to other trading partners in our highly interdependent world trade. Businesses may be using a hosted online store, a separate email marketing provider, and a different website hosting operation. They all employ different ways of handling customer information.

The same goes for other business partners, considered “data operators” in the LGPD nomenclature, such as marketing agents, infrastructure developers (website hosting and data storage), digital media platforms and other outsourced service providers. When companies offer or receive referrals from customers, this information is coming and going and potentially exposed and treated differently by each entity in this consumption chain.

This distributed approach to exposing information means companies need to think more broadly and deeply about privacy. Privacy isn't just a few paragraphs buried in a terms and conditions page on your website. Privacy is built into everyday interactions with customers. Privacy is something that can impact a brand, disrupt the customer experience, and potentially damage a company's reputation.

LGPD and the Brazilian Market

Brazil has more than 140 million internet users. We are the largest internet market in Latin America and the fourth largest in the world in terms of number of users. Brazil already has more than forty legal rules at the federal level that, in different ways, deal with data protection and privacy. Given the complexity of our civilist system, combined with the archaic division of powers in the current federative pact, we have a legal structure of crossed wires, which often short-circuit, electrocuting legal certainty.

However, these legal-jurisdictional frameworks are often sectoral in nature, as in the case of privacy and data protection. This means that the laws on the subject relate separately and specifically to financial institutions, real estate, consumer goods, consumer protection and the like.

The LGPD (General Personal Data Protection Law) - is intended to replace this fragmented legal landscape with a comprehensive, homogeneous and centralized regulatory framework. In this way, individuals (data subjects) will be “empowered” with a simplified set of rights, rather than the partial protection of sectoral laws in force today. The LGPD is shaped with inspiration from the European Union's General Personal Data Protection Regulation (GDPR) and as such applies to consumer relations as well as industrial relations, today impacted by remote work.

Remote work

In addition to regulating consumer relations, between borrowers/buyers and providers/sellers; The issue of data protection and privacy extends to work relationships, between employees/employees and contractors/employers. The labor legislation and related preexisting norms already promoted several guarantees in defense of the worker. The digital revolution, with data analysis, has brought with it new concerns regarding the sensitive data of the worker.

The rapid and unprecedented changes emanating from the Covid-19 Pandemic has accelerated the transition to remote work, requiring the migration of nearly entire companies to virtual work in just a few weeks, while leaving managers and employees adjusting in a veritable juggling act. Chinese circus. This massive transition has forced companies to rapidly advance their digital footprint, using clouds, storage, cybersecurity and device tools to accommodate their new remote workforce.

Enjoying the benefits of remote work - including zero commute times, lower operating costs and a greater number of global job applicants - many companies, including Twitter and Google, plan to permanently incorporate remote days or give employees the option to work from home. from home full-time.

In this new reality, employees feel lost, isolated, out of sync and out of sight. They want to know how to build bonds of trust, maintain connections without face-to-face interactions, and have a proper work-life balance. Managers want to know how to lead virtually, how to keep their teams motivated, what digital tools they will need, and how to keep employees productive.

Providing compelling, evidence-based answers to these and other pressing dilemmas, a data privacy program must address all employment issues. Such an initiative must consider specific steps, original illustrations (pictures speak louder than words), and interactive tools in a timely manner to help team members deliver results previously out of reach. Thus, employees will be able to break out of routine norms to successfully use the new features of remote work while adapting to their new norms.

This transition must be made in a healthy and sustainable way, respecting the differences and limitations of each individual. In addition, due to the greater exposure of data, new rules will be adopted to guarantee privacy protection. In this context, the data privacy professional becomes a key link in the process of adapting remote work.

The Role of the Data Privacy Professional

Society trusts data privacy professionals to make decisions about which fields of personal income, medical or educational information can be shared publicly, in accordance with laws and regulations. How good are the decisions they make? They do not have to publish the protocols they use, and they often prohibit others from telling them about vulnerabilities found in data processing media. Thus, in silence, these professionals circularly affirm that there are no problems, but the reality tends to be different.

Unfortunately, cases of abuse in the treatment and disclosure of data, without the proper legal basis for it, have become common in Brazil and in the world. It is up to the data privacy professional to ensure good practices. The best weapons to curb misconduct are awareness, monitoring and coercion in case of non-compliance.

The data privacy professional must be more proactive than reactive. It is incumbent upon him to elaborate any data privacy program of a company or entity. The main objective is to establish a culture of data privacy, whose repeated practice of a desired pattern of behavior will curb misconduct, like a selective membrane. Transparency and accountability are watchwords in this context, where the LGPD emerges as an important ally.

GDPR and Compliance (Data Privacy Compliance)

The General Data Protection Act is an important tool for the data privacy professional. Because it is modeled very closely on the European GDPR model, it creates a legal framework for how personal data can be handled in Brazil. Containing sixty-five articles, divided into ten chapters; it thus encompasses all forms of data processing. Its scope includes consumer relations and labor relations, among others.

The LGPD (General Data Protection Law) empowers data subjects with nine rights, defines what constitutes personal data, creates ten legal bases for legal processing. It also assigns companies and organizations the obligation to appoint a Data Protection Officer (DPO) and establishes the National Data Protection Authority (ANPD) with powers of supervision, guidance and application of its administrative sanctions.

Any data processing in Brazil is protected by the LGPD, even from foreign data processors. The LGPD defines a data subject as a natural person to whom the personal data being processed refers. In other words, an individual whose data is being collected and/or processed is a data subject. The LGPD has transversal and multi-sectoral application, that is, it applies to both the public and private sectors, as well as online (digital) and offline (physical) data.

It also has extraterritorial application, which means that websites, companies or organizations that process personal data of individuals in Brazil are required to comply with the LGPD, regardless of where in the world they are owned or operated.

In its Article 3, it is defined that the LGPD applies:

1. to the processing of data in the territory of Brazil,

2. Processing of data of individuals who are within the territory of Brazil, regardless of where in the world the data processor is located,

3. Treatment of data collected in Brazil.

Thus, the LGPD of Brazil not only protects Brazilians, but all individuals whose data is collected or processed while they are in the national territory. This means that the LGPD applies to any individual whose data has been collected or is being processed while within Brazilian territory, not just Brazilian citizens.

Conclusion

With the LGPD, Brazil fulfills one more homework to pass the OECD entrance exam and raise the level of reliability for data sharing at the international level. Although there are several mishaps in the structuring of the ANPD and challenges in the regulation of the Law, the positive points outweigh the negatives. It is up to the data privacy professional to learn about the content and changes of this legal framework promoted by the LGPD in Brazil, in order to have a more fruitful and efficient performance.

Daniel Majzoub – former Institutional Ambassador of IBREI to the Persian Golf (in memorian)