The publication of Law 13.709 in Brazil, in August 2018 could have been just one of hundreds of laws published every year without much publicity, or even come to the public’s notice. But it os not the case of GDPA!
The approval of the General Data Protection Act (GDPA) gained national attention, both for the importance of regulation and for the reach of virtually all companies and services in the country. It is therefore vital to better understand its importance and the need for adequacy.
Reading this blog post will bring greater clarity about general aspects of the data protection law, including: detailing what the Law is, what data it proposes to protect, who should seek compliance with it, and what will change when it is entered in force.
What is GDPA?
Although in Brazil there were already several articles and laws that directly or indirectly regulated the protection of privacy and personal data, the GDPA unified important concepts, obligations, rights and consequences for their non-compliance.
Beyond the institution of obligations and duties, the law also aims to promote economic development, especially for companies that negotiate with countries that already have specific legislation to protect personal data and require the same equivalence of national legislation. This has been the case with the European Union since the entry into force of the General Data Protection Regulation (GDPR) in May 2018.
The GDPA was approved in August 2018 and provided for the 18-month period for entry into force, ie February 2020. However, with the approval of Provisional Measure 869/2018 in December 2018, this term was increased to 24 months . Thus, unless amended by law, the law will come into force in August 2020. This extension caused relief to entrepreneurs, as the 18-month deadline was short to suit many business models to conform to the new rule
What data is protected by law?
The main principles of the law are the protection of privacy, freedom of expression and the inviolability of intimacy, honor and image. These foundations deserve high attention, especially considering that we live in a society increasingly driven by data. With that in mind, the law protects any data that identifies, or from which it can be identified, a natural person. CPF, ID, address, IP, blood type, are examples of these types of data.
The law also regulated the protection of so-called sensitive data, those concerning race, religion, philosophy, politics and sexual orientation..
But what does this protection mean, anyway? It means that holders have clearer rights to their data, such as knowing for what purpose the data is being captured and processed, the way and duration of data processing, who is the controller (responsible person) and the means to contact them.
Moreover, the collection of data by companies will depend on the explicit consent of the holder, in a clear and objective manner, also indicating the purpose for which the data is being captured.
Who should be in compliance with the GDPA?
As mentioned above, any data that identifies or can identify a natural person is protected by law from its entry into force. It is foolish to think that only companies that use data capture online (marketing, content, etc.) will need to comply with the Data Protection Act. What can already be said is that all the companies of the country will have to make considerable adjustments in their routines to obey the new regulation.
It should be noted that not only customer data will be protected under the new law, but also archived information about employees and outsourcers should be adequate. Even records of former employees, such as a job screening, or information about their health plan, will be covered by the law.
The law must be observed by both public and private entities, although it has made some distinctions between them. And protected data can be online or offline, even if written / printed.
In practice, what changes when the law comes into force?
It is important to emphasize that many of the changes to be promoted by companies when the law comes into force are not fast or simple.
They range from the time of data collection, review of clauses and even contracts, review of terms of consent, inclusion of strict data security policies, training, creation of compliance policies in data security, to suitability systems to enable data portability and report preparation required by law.
In addition, the Provisional Measure signed in December created the National Data Protection Authority, which will have the function of guiding the implementation of the law and monitoring cases of data leakage and noncompliance with the obligations. The fines that may be imposed by this Body, linked to the Office of the President, are high, and may reach up to 2% of the company’s revenue for each incident, in addition to imposing daily fines and other penalties.
While this Body does not reach national coverage, other bodies such as the Public Prosecutor’s Office and Procon (in defense of the consumer) will also be observing the obligations. Even before the entry into force, in some states, the Public Prosecutor’s Office is already imposing fines even on the basis of other regulations, such as the Internet Civil Framework.
Thus, considering the social repercussion and the economic risks associated with the subject, companies, in the people responsible, need to understand that it is indispensable to implement a new culture with greater responsibility on data processing, making this investment an important competitive advantage.