The Brazilian Federation of Banks has issued a regulation strengthening rules to protect customer personal data in accordance with the General Data Protection Law (LGPD). The regulation came into effect at the end of February 2022.
The aim of the new regulation was to establish guidelines and minimum procedures to improve the protection of the Holders’ Personal Data processed by the Signatories. Financial Institutions must apply the following principles when processing personal data:
- Transparency and open access
- Purpose, adequacy, and necessity
- Prevention and safety
- Data quality
They must also prepare and implement a privacy governance program with minimum procedures and good practices to:
- Protect personal data during its entire life cycle, from conception to destruction
- Establish security incident response and remediation plans
- Adopt, maintain, and disclose policies with standards and best practices for personal data protection and information security
- Establish and implement mechanisms to allow personal data holders to exercise LGPD rights
- Prevent damage from accidental or unlawful processing
- Establish privacy training and education for employees
Signatories shall keep records of the Personal Data Processing operations they perform. They must provide the data subjects with clear, complete and easily accessible information on the processing of their personal data.
Right of Holders
Holders must have at least one channel available to the signatories so they can exercise their rights. The rights in the LGPD may be exercised, free of charge, by the holder or their representative upon express request. These rights must be met within the terms provided for in the legislation.
Signatories may, when necessary, take reasonable measures to confirm the Holder’s iSignatories may, when necessary, take reasonable measures to confirm the Holder’s identity. They are also responsible for providing training, instruction or capacity building to their employees and managers. This will specifically look at the protection of personal data and privacy according to the risk involved in their activity. Signatories are also to appoint a person in charge of Personal Data Processing, as provided in the LGPD. The only exception to this is if there is a waiver of appointment by the ANPD. Measures must be adopted to adapt the necessary contracts with service providers to include clauses or reference to clauses regarding the Processing of Personal Data.
Failure to comply with this regulation will result in the application of the sanctions of the Code of Ethical Conduct and Self-Regulation in the Banking sector.
As we approach the 1-year anniversary of the LGPD being implemented it seems that there is still a lot changing. Confusion around what exactly each business needs to do is common. But getting caught out can be costly, both in funds and reputationally. Value Privacy have experts that will provide you will a comprehensive assessment of your policies and practices. Act today before it’s too late.