Posts

It is never too soon to deal with privacy by design under Brazilian LGPD

Data protection has definitively remarked the discussions during the last years. The European experience in its General Data Protection Regulation (GDPR) spread over many countries and has inspired legislation regarding such matter.

Brazilian General Data Protection Law (LGPD) passed in 2018 will enter into force soon, after a postponement caused by the current pandemic. It is expected that the law will bring more security for data subjects under the Brazilian legal framework.

Although LGPD will take effect only next year, both business and organisation need to prepare their data management and processes since now to avoid fines and, a little worst, loss of consumer trust.

Regarding measures to start the compliance program, the Privacy by Design (PbD) principles are likely a good way to ensure end-to-end privacy during data processing. The concept of PbD was developed in the 90’s by the former information and privacy commissioner of Ontario, Canada, Ann Cavoukian.

Several studies in such field aims to prove that Cavoukian’s 7 foundational principles are paramount to protect privacy, from IT systems and physical design to business practices. Both GDPR and LGPD have similarities, which may make it easier to develop PbD.

Cavoukian’s principles such as privacy as something proactive and preventive, transparent, and that is developed to guarantee end-to-end security (i.e. during the full data lifecycle) match some of the LGPD articles and provisions, although in an unexpressed manner.

On the other hand, GDPR has adopted the “data protection by design and by default” in its article 25, with reference to technical and organisational measures to implement data protection principles. It ensures privacy requirement from the very first moment of data collect until the erasure of the information.

Therefore, PbD deals with privacy and respect for the user from “cradle to grave”, in Ann Cavoukian’s words. However, that does not mean that business and organisation’s reputation and credibility need to follow the same way. Data protection legislation are not just a framework to comply with. Instead, if the business does not respect its user’s privacy, more than receiving fines, it will bury its image before the activity sector.

To sum up, the 90’s bring to us many technological and legal advances, such as the World Wide Web, Directive 95/46/EC of the European Parliament and of the Council and, of course, the PbD. But what it really teaches us is that it is never too soon to discuss and implement privacy as an organisational default.

The next 90’s lesson is still unclear, but for now we are more than experts to start seeing privacy as benefit, not as an issue.

Businesses struggling with GDPR compliance

According to a recent survey conducted by Deloitte, only 30% of organisations are have been responding to customer requests regarding their personal data within the GDPR timeframe.

What is GDPR?

The General Data Protection Regulation (GDPR) came into effect in May of this year. A measure put in place to modernise previous data protection directives from the 1990s, GDPR aims to keep pace with rapid technological changes when it comes to protecting customer information. Furthermore, GDPR was implemented to set in a place a more consistent set of guidelines across Europe.

Although GDPR regulations have been more effectively applied to technological advancements, it took more than four years of negotiation and discussion before GDPR guidelines were decided upon. This highlights how, even though steps have been taken, uptake is still too slow when compared to the innovation of the technology sector, and the potential misuse and monopolisation of data.

Each European country had the option to alter the laws slightly according to their own jurisdictions. In the UK, the Data Protection Act 2018 was initially greeted with some controversy since guidelines were amended in this country to protect cyber-security researchers.

These guidelines protect the consumer by allowing them easier access to what data a company has access to, as well as introducing steeper fines to organisations who go against regulations. This is overseen and implemented by the Information Commissioner’s Office (ICO). Companies must inform the ICO no later than 72 hours after any form of breach occurs where data they have stored has been accessed.

Businesses were allowed from May 2016 to May 2018 to prepare for and implement new GDPR measures, and so the question remains: why are businesses not fully adhering to the GDPR timeframe?

Is it the Brexit effect?

Post-Brexit changes should not have an overwhelming effect on GDPR guidelines, this is largely due to the contingencies each individual European country has been allowed to make so the laws most effectively work.

The two prior years businesses have had to fully prepare for GDPR have meant that businesses had the time to source other effective ways in which to gather the relevant information they need to conduct business, without breaching a customer’s right to privacy.

An example of a data breach story that made the headlines would be Facebook’s admission that 50 million ‘access tokens’ for accounts had been taken by unknown hackers. This is the kind of eventuality that GDPR regulations hopes to reduce through the introduction of stricter measures and hefty fines.

Survey conducted by Deloitte

“Six months in, what is clear is that some organisations are still grappling with the implementation of their GDPR compliance,” said Peter Gooch, cyber risk partner at Deloitte.

Deloitte has stated that in the six months GDPR has been in effect, more than two-thirds of organisations who took part in their global survey (consisting of answers supplied by 1,100 organisations) have been responding to customer data requests late.

Gooch continued: “Given the complexities of such programmes and increased consumer awareness of such requests, we would expect some bedding-in time. However, our research found that a fifth of organisations only aimed for bare minimum compliance back in May, which may be indicative of the delays some customers are currently experiencing.”

The GDPR timeframe for handling data requests submitted by the consumer (for example, the option to opt out of direct marketing or to erase their details from company systems) is one month. Although statistics for the fulfilment of this are low, it is an improvement on previous measures.

“That said, 33% of organisations surveyed continue to invest in their privacy practices, including in technology and talent,” said Gooch. “Since May, 70% of organisations surveyed have seen an increase in staff who are either partly or fully focused on GDPR compliance. For many, this included the recruitment of a dedicated Data Protection Officer (DPO). Of the countries surveyed, the UK leads in this respect, with 92% of respondents assigning a DPO.”

With DPO’s now being assigned role-specific responsibilities to handle GDPR guidelines, the number of businesses who are handling data requests in a timely manner should increase.

Gooch concluded: “Overall, organisations are taking the right steps in continuing their GDPR implementation and the majority (92%) felt confident in demonstrating their ability to conform in the long-term. In the immediate term, though, many will need to address today’s pressure to respond to data requests. This is particularly the case as online tools, enabling consumers to make mass data requests, increase in popularity.

“Those that are currently responding with some delay will need to take a more customer-centric approach, not only to meet the existing volume, but also the influx of requests their tools could create.”

If you would like to view our Privacy Policy, please click on the following link: https://www.advisoryexcellence.com/gdpr-privacy-policy/