Many executives must be asking this question to themselves. Before answering it, let’s remember some recent information leaks:
1) There was a leak of personal information such as name, CPF and address of 243 Million Brazilian citizens in the Ministry of Health in january/21;
2) The Federal Police is investigating the suspicion that the hacker obtained personal data (full name, address, email, cell phone, date of birth, gender) of 223 million people from Poupa Tempo de São Paulo. News published in Folha de São Paulo on 03/15/21;
3) Reported on 12/03/21 cyber attack on Sita information technology company that provides services to airlines, including Latam, which may have had data from at least 8% of the members of the Latam Pass program exposed.
This is to stay only in the recent cases that occurred in Brazil. Numerous leaks were reported, such as Facebook’s in 2018, with data exposure of over 214 million users and other companies such as eBay, Adobe and Linkedin.
These cases clearly demonstrate that each and every company has risks of exposing personal data of its customers, employees, suppliers and partners. Therefore, the first step is to identify these risks and quantify the probability of occurrence. This will make your decision and that of your peers easier to start a journey to protect personal and sensitive data in your organization.
It is important to note that the ownership of personal and sensitive data belongs to the citizen with whom the data refers, but the responsibility for maintaining, updating, processing and controlling access rests with the company that collected this data. Therefore, in case of exposure of personal data, the organization must be liable for the leak and its consequences.
The legal framework for data protection in Brazil is defined in the General Data Protection Law, also known as LGPD, it was in force on 9/18/20 and fines for non-conformities should start on 8/1/21, but there is an initiative in the Brazilian Congress to postpone the application of fines to 01/01/22. The fees may be up to 2% of revenues limited to R $ 50 million per infraction.
Among the citizens’ prerogatives guaranteed by the LGPD is the right to request your personal and sensitive data at any time, and the company has a period of 15 days to provide this data. Clearly for the organization to respond within the legal deadline, it will be essential that it knows the personal data collected, the legal basis that supports its use and the storage location of that data. Otherwise, your company will have difficulty in responding and you may suffer violations.
Therefore, the answer to the initial question became clearer. Clearly all organizations from the most diverse business sectors, such as, agribusiness, industrial, services (IT, Telecom, logistics, facilities, education, advertising and marketing, filming / photography, maintenance, etc.), third sector and governments; all are impacted by the LGPD and must prepare as quickly as possible to comply with the legal framework of that law.
Start your journey now!