01 Aug Data Protection Act: What Is it?Tempo de leitura: 5 minutos
Following the latest data leaks confirmed by Facebook due to the Cambridge Analytica scandal, which sold information from millions of American users profiled on this social network for Donald Trump’s campaign, several countries have begun to develop laws and tools to ensure more security for the data that travels on the internet.
In May 2018, the European Union adopted the General Data Protection Regulation (GDPR), which replaced the Data Protection Directive (created in 1995) and entered into force to protect the privacy of all citizens of the European block. All companies headquartered or that store European citizens’ data need to comply with this regulation.
In addition to the EU, in Latin America there are countries such as Chile, Colombia, Costa Rica, Peru, Uruguay and Argentina that also have laws at the same level of GDPR for data protection of its citizens. Brazil joins this group, which in August 2018 approved Law No. 13709,named as Data Protection Law, which has a term of 18 months to enter into force, a limit for companies to comply, which will guarantee citizens greater control about their personal information.
Understand what Data Protection Act is
The new law aims to establish rules and limits for the collection, storage and transfer of data, mainly in digital media. From now on, cases like the Cambridge Analytica could be punished with much more rigor and speed, if they happened in Brazil.
With the new Data Protection Law, all information collected, whether by company or not, such as cadastral data, name, address, email or even texts, photos and other types of information present in social networks, must have the consent of the the holder to be stored.
This request for use must be made in a clear and objective way, through its own clause and always respecting the purpose for which it was specified. If the purpose of the use of those data is changed in the future, the customer must grant a new permission.
What personal data are protected?
Companies must first collect only data really necessary and essential for the services provided. Data on people’s health are free to be used for research purposes. The Data Protection Actalso does not apply to data that used for journalistic or artistic purposes, for investigations, prosecution of crimes, or in cases of public safety and national defense.
If the user accepts it, data of registry such as name, address, cpf and etc, besides consumption preferences, habits, health conditions, sexual orientation, political preferences, information about the patrimony and credit situation, that can be treated for various uses, including electoral propaganda.
This is why it is important for users to be aware of the services to which they give their information and, even if it seems difficult, to watch out for the clauses that explain what data will be collected and for which purposes they will be used.
Is it possible to change or delete the data collected?
From now on, with the Data Protection Act, users can decide what will be done with the information they give to a company. They may ask for change or even delete their data.
With the new law it is possible, for example, that an email account has all its messages transferred to a new provider of this service if the user wants to change the service provider. It will also be possible to request the review of an automated decision based on your data, such as the commonly used credit rating.
Personal data may also be transferred to other countries, as long as they also have measures to ensure the protection of this data for its citizens.
In addition, after termination of the relationship between the company and a customer, the information should be excluded. Something that does not happen today, after all it is very common that even after months and years of canceling a service one still receives calls and emails from this company. Not mentioning when this data is sold to another company that happens to have a complete report on the user and their behavior.
Are there penalties for leaks or misuse?
With the new Data Protection Act, companies must ensure the security of all information of their users, preventing unauthorized access, destruction, alteration or any form of inappropriate or illicit treatment, preventing any form of leakage. If this happens, the owners of this data should be informed immediately about the full extent of the leaks and possible damages, as well as safety measures to be taken.
If a company sells, leaks data or breaches any of the clauses of this new law, it may receive a simple or daily fine of up to 2% of the corporate income, excluding taxes, limited in total to 50 million reais.
Is your company ready?
Today most companies store some user information in their databases. However, there are very few that manage and care about the security of this information.
Therefore, since the Data Protection Actis still going to take 18 months to be enforced, it is essential for organizations to start worrying about the security of their networks and the management of all data right now. In this way you will be ensuring not only your financial health, but you will also be collaborating so that everybody gains with good practices and an increasing security.