The approval of the Brazilian GDPR (General Data Protection Regulation), in August 2018, was an important achievement for all citizens, especially in relation to the protection of the essential constitutional principle in the age of (dis)information in which we live: privacy.
With the new regulation, data subjects are guaranteed privacy throughout the data life cycle, that is, from the moment of capture, treatment and sharing, to the deletion of personal information.
In addition, the GDPR and other laws, passed in other countries, that also seek to protect personal data also aim to guarantee informational self-determination, which is the right that individuals have to self-determine their personal information, so that they can decide on the collection and use of your personal data.
Thus, in order to guarantee the protection of these and other rights, the legislator pointed out, in article 6 of the GDPR, that all processing of personal data must respect, above all, good faith, as a general principle that governs legal relations. In addition to this, he pointed out 10 other principles that data processing must respect:
Purpose: to carry out the treatment for legitimate, specific, explicit and informed purposes to the holder, without the possibility of further treatment in a manner incompatible with these purposes.
Adequacy: compatibility of the treatment with the purposes informed to the holder, according to the context of the treatment.
Necessity: limitation of the treatment to the minimum necessary for the accomplishment of its purposes, with coverage of the relevant data, proportional and not excessive in relation to the purposes of the data treatment.
Free access: guarantee to holders of free and easy consultation on the form and duration of treatment, as well as on the completeness of their personal data.
Data quality: guarantee of accuracy, clarity, relevance and updating of data, according to the need and for the fulfillment of the purpose of its treatment.
Transparency: guaranteeing holders clear, accurate and easily accessible information about the treatment and the respective treatment agents, observing commercial and industrial secrets.
Security: use of technical and administrative measures to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination.
Prevention: adoption of measures to prevent the occurrence of damages due to the processing of personal data.
Non-discrimination: inability to carry out treatment for illicit or abusive discriminatory purposes.
Accountability and accountability: demonstration, by the agent, of the adoption of effective measures capable of proving the observance and compliance with the rules of protection of personal data and, even, of the effectiveness of these measures.
How do I ensure compliance with the GDPR principles?
There is no doubt that compliance with the GDPR principles, previously listed, will require a series of adjustments in most companies across the country. And the consequence cannot be different! Failure to comply with the principles elucidated, in addition to other obligations provided for by the law, may give rise, in themselves, to the imposition of a series of penalties, from fines to publication and data exclusion.
In other words, to ensure the search for compliance, it is necessary to review the procedures, using structured methodologies, through a trained team in the technical and legal area and through analysis of the entire data life cycle within the company. Be ready!