The Regulamento Geral de Proteção de Dados – RGPD (or General Data Protection Regulation – GDPR) was enforced as from May 25th, 2018 . The main objective of this law comprises data protection for European citizens. That is, companies started to be compelled to efficiently protect their clients’ data. Companies are also obliged to inform the regulatory body and their clients about any data leakage which might occur. Companies are also now accountable for suppliers’ proceedings regarding data protection, even though these suppliers may be outside Europe.
In keeping with the worldwide trend, the Brazilian Senate approved, on July 10th, 2018, the Lei Geral de Proteção de Dados – LGPD ( General Data Protection Law – GDPL) described in the Chamber of Representatives’ Bill 53-2018, which creates new rules for personal data use in the country. On account of this law, companies should establish clear rules for personal data collecting, storing , handling and sharing. Sanction by the Presidency of the Republic, which may veto the law (or a portion of it) is still needed. Following publication, companies will have 18 months to adapt to the new rules.
The new Brazilian law will set an important milestone for Brazilian citizens’ personal data protection, and shall be appled to both the public and the private sector. Companies will only be allowed to collect data which may be necessary to the service to be rendered. They may not ,for example, build up a database for future use. After using the data for the defined purpose, the latter shall be deleted, unless the company is compelled to store them, even though these may not be used for other ends.
To collect, and or use personal data, companies must request consent from the data owner which, at any rate, may withdraw such authorization at a given moment. The purpose of the data collected and stored must be explicit. Some information, deemed as sensitive, such as, for instance, religious affiliation, sexual life, and political position, must receive stricter treatment than certain other data .
The companies shall be held accountable for the security of the personal data collected and stored, and may not transfer them to other entities , unless some legal provision exists. In case of a data leak, the company shall report the fact to the competent body (Autoridade Nacional de Proteção de Dados — the National Data Protection Authority, the indirect public administration body, linked to the Ministry of Justice), which will be responsible for ascertaining , implementing nd checking compliance with this law, within a “reasonable term”, to be defined by the said authority.
If a data leak or any other violation of the law occurs, the fines envisaged may reach 2% of billings, to a limit of R$ 50 million, and may also imply in the suspension of company activities.
The new law comprises an important milestone in data protection regulation and, as a consequence, shall bring technological development aiming to adapt companies so that they may be in compliance. This means an advancement in the guarantee of individual rights , which will render citizens more secure regarding their data .
One of the technologies which may be used in data protection comprises data masking. Delphos has set up a partnership with a European company, and is bringing to the Brazilian market an easy-to-use tool for this purpose. Please contact us in case you wish to receive early information about this launch.