Application of the LGPD for companies

In August 2022, the General Data Protection Law (LGPD) completed 1 year of full force throughout the national territory, then also taking effect the provisions that provided for penalties for processing agents who fail to comply with the law. However, there are still entrepreneurs, owners of small and medium-sized businesses, who believe that law enforcement is only for large companies.

The fact is that this certainty is one of the biggest myths when we talk about LGPD, since the law applies to every natural or legal person of public or private law, who carries out personal data processing operations within the national territory, as provided in Article 3º[1] of the law.

For further clarification, it is important to keep in mind the definitions of two key terms: personal data and processing. According to Article 5 of the law, personal data are defined as any information capable of identifying or making identifiable a natural person, so they concern only natural persons. The treatment is understood as any action carried out with the data collected, such as, for example, storage, sharing, among others.

Maintaining the thought that the law does not apply to small and medium-sized companies and not making the necessary adjustments, can lead to major financial problems, taking into account that the pecuniary penalties that can be applied by the National Data Protection Authority (ANPD), when an infraction is verified can reach up to 2% of the company’s or group’s turnover, from the last financial year, limited to R$ 50,000,000.00 (fifty million reais) per infraction.

To further aggravate the situation, in addition to great financial losses, the lack of implementation of rules and routines for compliance with the law generates negative impacts on all business procedures, such as, for example, in the relationship with customers, suppliers and employees, and may even be the subject of lawsuits, in the labor and civil spheres.

The best way to prevent this from happening is to adapt all the company’s procedures that use personal data in its operation, and the following actions can be pointed out as crucial elements for a well-structured and complete lgpd compliance process:

(I) appointment of a DPO (in charge);

(ii) risk analysis of transactions involving personal data;

(iii) mapping of the data collected and used by the company;

(iv) attributions of legal bases to the data used;

(v) adequacy of draft contracts;

(vi) policy development; and

(vii) training of the entire team.

The order and form in which these implementations will be carried out should be studied by specific people inside and outside the company, and in each case more emphasis may be placed on a specific action, all depending on the level of adequacy in which the company is.

Once these punctual actions have been completed, it is extremely important that constant monitoring of the implementation of the actions carried out is carried out, this is because compliance with the General Data Protection Law must be part of the company’s organizational culture, and therefore a punctual adaptation is not enough.

Marina Sampaio Costa

Lawyer, graduated in law, from Centro Universitário Padre Anchieta (2018), enrolled in the Brazilian Bar Association, São Paulo Section (2019). Postgraduate in Business Law from Faculdade Legale, postgraduate in corporate law and Compliance from Escola Paulista de Direito (EPD), author of articles. Lawyer and Operations Coordinator at TM Associados.

[1] Art. 3º this law applies to any processing operation carried out by a natural person or by a legal person governed by public or private law, regardless of the medium, the country of its headquarters or the country where the data is located, provided that:
I-the treatment operation is carried out in the national territory;