The world scenario is changing when we talk about personal data protection. Not that long ago, it was common to find companies that sell databases, and other companies that work with the information contained into these databases, aimed to create profiles and generate solutions, using technologies such as big data and artificial intelligence, among others, looking to be attractive and get more customers. In order to protect the privacy of citizens across the world, laws have been created and/or expanded to reinforce this protection. In Brazil, specifically, the Lei de Proteção de Dados Pessoais – LGPD [General Data Protection Law] was created. This research aims to analyze this law, as well as other laws that orbit around it. The goal is to know the impact of law enforcement on business routine and, as a specific objective, what the role of DPO (Data Protection Officer) in organizations will be.
TopIntroduction
Today, the protection of personal data is a worldwide concern, especially after some incidents such as the case at Cambridge Analytic, where the company was accused of using personal data, to interfere in the election process of the United States of America in 2016. This company has been accused of using techniques, that today have become commonplace, with the concepts of Big Data and Data Mining, to analyze information, to create profiles and strategically align this information with the interests of some organizations.
These technologies have brought many benefits to companies. However, any technology, when used for evil purposes, can be harmful. In this specific case, as can be seen on the website: Information is Beautiful1, several are the security incidents that have exposed citizens data all around the world. These incidents have happened as a consequence of the lack of security planning, or even the way of use of existing data.
In this context, thinking about the protection of privacy, several countries have promulgated laws with the objective of restraining this type of attitude by companies and malicious people. In Brazil, in August 2018, Law 13.709, called the “Lei Geral de Proteção de Dados – LGPD” (General Law of Personal Data Protection), was enacted, in which the “rules of conduct” that people and companies must follow, If a person, or company does not meet its requirements, sanctions will be imposed, and they can be harsh.
Implementing compliance with this law should be the work of a multidisciplinary team, taking into account the areas of Management, Information Security, Information and Communications Technology (ICT) and Legal. Each area will have an important contribution to make in terms of adaptation of work procedures. Otherwise, it will be difficult for only one of these areas to meet the organizations demands.
This work makes a study about the connection between the areas of Management and Information Security and the effects and projections on the LGPD enforcement in the Brazilian Legal System. LGPD is directly connected to several other Brazilian laws and, only by knowing its impact, it will be possible to draw up an action plan to mitigate the existing risks in the organization's business.
TopRegulatory Evolution: Aspects Of The Contribution Of General Data Protection Regulation (Gdpr) To The Framework Of The Brazilian Equivalent Law (Lgpd)
In the 1970´s some countries at Europe were already engaged in establishing parameters for data protection. Going further, in 1995 Directive 95/46/EC of the European Parliament and of the Council concerning data processing was approved and required each member of the European Union to have:
a data protection agency or commission, the latter should be a government agent that oversees the application of individual privacy protection principles and laws. The directive 95/46/EC also requires that each agency or commission should edit laws on the personal data processing. (REINALDO FILHO, Demócrito, 2013)
For 20 years, Directive 95/46/EC has been one of the most important documents in terms of advances in data protection. However, in view of new needs in an increasingly digital universe where the demand for updates was growing, the ideal scenario has opened up for a more up-to-date and comprehensive law to appear on the European scenario.
It was then that, in the year 2016, the “General Data Protection Regulation – GDPR” was legislated, coming into force two years later, in May of 2018. According to VAINZOF (2019), the 2016/679 regulation (EU) came into force on 05/25/2018, replacing the directive 95/46/EC, as well as the national laws and regulations based on it. For GOMES (2018), GDPR is the “largest set of online privacy protection ever created, since the beginning of the Internet”.
In the business field, MOREIRA (2017) highlighted that the European resolution offers a rich substratum for entities/companies to be able to guide their actions with considerable legal certainty.
The regulatory evolution of data protection in Brazil, up to the LGPD milestone, suffered many setbacks and was inspired by the European General Data Protection Regulation (GDPR). According to KINGDOM FILHO (2013):