It is Never Too Soon to Deal With Privacy by Design Under LGPD
The LGPD is a statutory law on data protection and privacy in the Federative Republic of Brazil. The law’s primary aim is to unify 40 different Brazilian laws that regulate the processing of personal data.
Data protection has definitively remarked the discussions during the last years. The European experience in its General Data Protection Regulation (GDPR) spread over many countries and has inspired legislation regarding such matter.
Brazilian General Data Protection Law (LGPD) passed in 2018 will enter into force soon, after a postponement caused by the current pandemic. It is expected that the law will bring more security for data subjects under the Brazilian legal framework.
Although LGPD will take effect only next year, both business and organisation need to prepare their data management and processes since now to avoid fines and, a little worst, loss of consumer trust.
Regarding measures to start the compliance program, the Privacy by Design (PbD) principles are likely a good way to ensure end-to-end privacy during data processing. The concept of PbD was developed in the 90’s by the former information and privacy commissioner of Ontario, Canada, Ann Cavoukian.
Several studies in such field aims to prove that Cavoukian’s 7 foundational principles are paramount to protect privacy, from IT systems and physical design to business practices. Both GDPR and LGPD have similarities, which may make it easier to develop PbD.
Cavoukian’s principles such as privacy as something proactive and preventive, transparent, and that is developed to guarantee end-to-end security (i.e. during the full data lifecycle) match some of the LGPD articles and provisions, although in an unexpressed manner.
On the other hand, GDPR has adopted the “data protection by design and by default” in its article 25, with reference to technical and organisational measures to implement data protection principles. It ensures privacy requirement from the very first moment of data collect until the erasure of the information.
Therefore, PbD deals with privacy and respect for the user from “cradle to grave”, in Ann Cavoukian’s words. However, that does not mean that business and organisation’s reputation and credibility need to follow the same way. Data protection legislation are not just a framework to comply with. Instead, if the business does not respect its user’s privacy, more than receiving fines, it will bury its image before the activity sector.
To sum up, the 90’s bring to us many technological and legal advances, such as the World Wide Web, Directive 95/46/EC of the European Parliament and of the Council and, of course, the PbD. But what it really teaches us is that it is never too soon to discuss and implement privacy as an organisational default.
The next 90’s lesson is still unclear, but for now we are more than experts to start seeing privacy as benefit, not as an issue.