The Brazilian Institute for Consumer Protection (IDEC) has encouraged businesses to make sure they are compliant with LGPD regulations when it comes to data within their small or micro business. There are so many things that need to be considered when it comes to LGPD and your data but it’s important that it’s done correctly.
Here’s what needs to be done at a glance:
- Where to start
- Data Protection Officer (DPO)
- Privacy Impact Assessments
- Customer Privacy
- Employee Privacy
- Outsourcing
- Cross-border transfers
- Security
Where To Start
It can be daunting on where to start when making sure your business is compliant with LGPD. We’ve listed some of the key things to do below:
- Define your organization’s purpose and use it as a guide for your practices regarding LGPD requirements
- Identify the employees and managers who will be directly responsible for adapting business practices
- Eliminate any data that is not relevant or necessary for processing
- Anonymize data that can be used without identifying the data subject that the data pertains to
- Define the role and responsibilities of the data, documentation, and communication manager
- Hire specialist third parties, like Value Privacy, to perform the actual process of bringing your business into compliance with LGPD
- Map all the personal data you collect, store and process to help identify:
- Any sensitive data that has been processed
- The purpose for processing
- Any third parties that process personal data for you
- The way data is collected and stored
- Any third parties that you share personal data with
- All international transfers of data
Data Protection Officer (DPO)
Even though your business may only be small that doesn’t mean you don’t need a DPO. A DPO will be responsible for many things that cannot be overlooked such as:
- Accepting complaints and communications from data subjects
- Receiving communications from the ANPD
- Monitoring your organization’s compliance with LGPD obligations
- Mapping an organization’s data flows
- Producing data protection impact reports
- Being the point of contact between your business and the ANPD
- Making data processing agreements with third parties
Privacy Impact Assessments
Privacy Impact Assessments are used to assess the risks related to any data processing performed by your business. This includes any risk to data subjects while you are responsible for their data. It must also establish the legal bases that justify you processing the data you handle.
Customer Privacy
Your company must have an up-to-date privacy policy and cookie policy. They are important to let your data subjects know what is happening to their data and what they can do about any concerns they might have.
Your privacy policy should include:
- Who is in charge of your business’ data processing activities and how to get in touch with them
- How each type of personal data is collected and processed
- The purpose of the data processing
- The mechanisms in place to safeguard personal data
- The software used to process personal data
- Which third parties are involved in processing your business’ data
- Any applicable retention periods*
- Whether or not data is shared with third parties either within Brazil or internationally
*Retention periods will be clearly defined so that consumers know how long their data will be stored and the process in which that data will be deleted at the end of that period
Your cookie policy should include:
- How you use cookies
- What personal data is collected using cookies
- The purpose for processing data using cookies
You must also bear in mind that a data subject has the right to request any data you hold on them so it’s best to be prepared. By making sure you have efficient processes for these requests you won’t get caught out when they arrive. This will also mean that you will be able to respond to any requests within the deadline established by the LGPD.
Employee Privacy
Consumers aren’t the only people whose data needs to be protected. Your employees are also trusting your business with their data and as such they deserve their own policies on the subject. You should provide notice to your employees that your business has an Employee Personal Data Protection Policy and an Internal Data Protection Policy.
Your Employee Peronsal Data Protection Policy needs to address:
- The types of data collected during the hiring process
- Any differences in the treatment of personal data between contractors and permanent staff
- Applicable retention periods
- The situations in which employee personal data may be shared with third parties
- Examples of the types of data that will be processed whether by law or in the best interest of the controller
- An explanation of any employee monitoring such as:
- CCTV
- Internet monitoring
- Recorded telephone calls
Your Internal Data Protection Policy will provide a broader overview of the data protection process:
- The purpose and justification for each type of personal data collected
- The rules for sharing and deleting personal data
- The basic functions and contact information of the person in charge of data processing
- A list of definitions of the concepts that are used in this and other documents in relation to LGPD
Another important thing to bear in mind when it comes to your employees is that they need to be aware of your business’s obligations to comply with LGPD. You should create a training program which periodically evaluates employee awareness and understanding of all this. It’s advisable to hire a specialist third party, such as Value Privacy, to advise employees and management on how to adapt business practices to comply with LGPD.
Outsourcing
When outsourcing to a third party you need to keep those contracts up-to-date and regulate your role as a parent company or data processor in relation to their processing activities. It’s vital that you create clear parameters for when it is and isn’t appropriate to share personal data.
Cross-border transfers
You must have mechanisms for when you are making cross-border transfers. These must be appropriate to your personal data laws.
Security
It’s so important that you not only have organizational mechanisms in place to protect data but also technical measures. This will not only protect personal data but also security breaches. Data breaches are damaging and can be costly. You should have an internal notification system for notifying the ANPD and affected data subjects in the event of a security incident. Value Privacy can help you to establish whether there are any security concerns within your company.
Two more important policies to have are the information security policy. This will be a breakdown of:
- The main concepts related to information security
- The classification of data based on the importance of it being kept confidential
- The type of storage and protection provided to personal data
- Whether IT responsibilities are outsourced to third parties
The other policy is a security incident policy, in case of any breaches. This should:
- Define what is considered a security incident
- Examples of types of security incidents
- The types of support available during that time:
- Legal
- IT
- Data Manager
- How you as a business and your employees should respond
- How the severity is assessed
There is so much that needs to be implemented to comply with LGPD and it is a minefield. Although the ANPD are considering lessening the requirements for small and micro-businesses, this is currently what is expected. Here at Value Privacy, we can take the stress out of this process and provide a full health check on your business to see how you are faring against LGPD. Contact us for an assessment.
