By Fábio Aspis, Luis Fernando Prado Chaves and Renato Malafaia.
On May 8th the Daniel Law office hosted an event regarding the main aspects of the Brazilian General Data Protection Law (LGPD), the methodology for the compliance plan regarding the Law that will take effect in August 2020, the practical issues in choosing of a Data Protection Officer or DPO by the companies and the interactions between the data and digital marketing activities.
In the first panel, the member and head of the area of Digital Law, Privacy and Data Protection, Luis Fernando Prado Chaves, highlighted, among other aspects, the applicability of the law, principles and lawful basis for processing, individual rights, the processing of special category data, the international transfer of data and possible security incidents.
In addition, under the same practical bias, the phases of the action plan were listed. The first one called “Assessment” consists of the initial phase of diagnostic. Through it, it is possible to map the company’s main gaps in relation to compliance with the LGPD, through an initial kickoff of the project, production and targeting of specific questionnaires and a gap analysis.
The second phase, “Compliance, Governance and Good Practices” provides documents and clauses necessary for the structuring of a Compliance Program with the LGPD. Finally, the third phase aims to change the culture of the company by conducting training and preparation of internal communication plans.
After completing the three mentioned phases, it was highlighted that work should be established after the implementation of the principles, rules and standards of the new law, in order to ensure that the company is in constant compliance with the LGPD, translated, mainly, by analyzes of new projects in light of data protection (ensuring compliance with the principle of privacy by design in the company)
Finally, Luis pointed out common mistakes that companies normally make during a process of LGPD implementation, such as hiring more than one consultant at different times, underestimating the efforts required to conduct the process, not ensuring interdisciplinarity, starting with wrong legal premises and not worry about changing the company culture.
In the second presentation, Ana Carolina César and guest speaker Luiz Philippe Moura addressed the theme “who’s going to be my DPO?”, showing that in the subject of data protection, not every hero wears a cape.
Indicated by the controller, the “Encarregado” (nomenclature in Portuguese for the Data Protection Officer) concentrates functions as (i) assure the rights of the holders with regard to the treatment of their data by the organization; (ii) answer questions from other members of the company; (iii) internally promote awareness campaigns on the subject; (iv) act as a channel of communication between the data holders, the controller and the National Data Protection Authority (ANPD) and (v) perform assignments determined by the controller or established by Law.
Additionally, it was demonstrated the possible incidence of personal responsibility of the Data Processing Agents (Controller and Processor) and the absence of it in relation to the DPO, according to the Brazilian law.
The hiring of this professional, therefore, must comply with strict criteria, such as a high expertise, preferably with knowledge in the LGPD, Technology and Information Security and a broad understanding of the areas of the company and the ways in which it deals personal data. All this in order to implement and promote an effective and modern data protection culture within the corporation.
An alternative that has been supported by a good part of the market is the hiring and specialized companies in these subjects above, that act like DPO As A Service and attract all the responsibilities and obligations of the person in charge.
Finally, the brand partner Vanessa Gaeta presented the theme “Data protection and digital marketing: how to reconcile?”, with the aim of demonstrating the possible impacts of the new law on the sector, especially considering the different types of targeted advertising.
Modern tactics of corporate marketing, targeted advertising aims to build, in real time, each user’s profile according to their preferences to then customize the ad and maximize the chances of success in sales.
In this scenario, the new LGPD concepts will directly impact on this issue, especially as regards the form of data processing and the lawful basis for processing that authorize it, even considering the possibility of data anonymization.