Pratical tips for your LGPD Compliance Plan

Written by Isabela Guarino Tancredo, Privacy and Data Protection Analyst at Palqee Technologies

With the Brazilian data protection regulation — LGPD — being legally enforced since September 2020, companies that collect and process data from Brazilians, or even just operate in the country have to comply with the regulation and take a hands-on approach in adapting their business models accordingly.

Beyond avoiding the tough penalties that may be imposed by the Brazilian Data Protection Authority (ANPD), adopting corporate measures to protect the integrity of personal data also means protecting the company’s reputation and guaranteeing a competitive advantage over competitors that may fail to comply with the regulations’ requirements.

Fortunately, developing an LGPD privacy compliance plan can be achieved by implementing a few technical or administrative measures.

1. For starters, get the “tone from the top”

Engage the high-rank professional workforce in the company, such as chiefs, managers, and officers, and instruct them about the importance of being compliant with the privacy regulations, so that all the data protection actions yet to be adopted have support from the people responsible for the decision making and budgets.

Getting approval and support from the “top” will not only make the privacy compliance program a corporate-wide accepted and acknowledged undertaking, but also result in further privacy-friendly administrative decisions.

2. Assess the company’s privacy risks

Carefully analyze the company’s internal routines across every department that collects, treats, and uses personal data belonging to employees, clients, and third parties.

Interviewing people from different departments will allow a better understanding of their activities involving personal data, the personal data life-cycle related to their activities, and will make it easier to assess the privacy risks.

Also, it is advised to perform a Data Mapping exercise to better visualize your company’s personal data flows and to synthesize information such as: what data is collected by the company, how data is processed, who are the subjects of the personal data treatment, who is the responsible for each personal data activity, among others.

Being aware of the privacy risks within the company makes it possible to assess the gravity of possible corporative damages they can result in, assess the risk appetite of the company, and create a mitigation plan in case a risk actually happens.

3. Craft Privacy Policies

Develop an internal set of rules to inform stakeholders about their responsibility protecting privacy rights and to help the workforce understand and execute their tasks to build a company culture around data privacy.

This can be achieved through the creation of documents such a Privacy Policy, Privacy Notice, Code of Ethics, and other related documents.

Furthermore, formalizing the business’ commitment to personal data protection in written documents is an effective mechanism to earn the clients’ and stakeholders’ trust regarding your company’s ethics, as well as a means of proof for the authorities.

4. Have internal controls in place

Adopt administrative, technology, and security information measures to guarantee that the Corporate Policies are applied in practical terms among the company’s routines.

Even though engaging the Management, Privacy, IT, and Infosec departments to work together towards a common objective may not be a simple task — especially for big enterprises — this can be achieved by instructing the responsible workforce to adopt the use of cryptography, passwords, access token, security software, to manage the access permissions to the company’s premises, or even to adapt the physical office structures to minimize data leaks, modification or even its destruction.

5. Engage the team

Instruct and periodically train your workforce on the privacy regulations and the content of the Policies. It is important to educate employees from the departments that directly treat and process personal data to build a privacy-friendly culture.

In this sense, it is strongly advised to write your internal Corporate Policies in a clear and informative way to make them easily accessible and understandable. If any doubt arises, be sure to have a responsible privacy professional acting as a direct contact channel with the workforce.

6. Create an anonymous reporting channel and investigate violations

Make a reporting channel available to the workforce, clients and third parties denounce possible violations of the company’s policies and data privacy principles without being identified and eventually retaliated by colleagues.

Once a violation is reported or identified, investigate it, and act upon it under a predetermined and formal procedure.

Not only following certain guidelines to investigate and further apply the adequate and proportional penalties to the responsible for the incident is a fair and lawful procedure, but it also allows the company to mitigate any damage to the individuals’ rights, and prevent future violations.

7. Perform due diligence

Check the background and the current degree of data protection compliance adopted by the third parties with whom your company makes business and especially transfer personal data to.

Performing a background check on the third parties’ concerning privacy matters will make sure the personal data exchanges are safe and present low reputational and economic risks to your company.

8. Finally, always monitor the success of your privacy compliance plan

At last, periodically evaluate if the privacy compliance measures your company has been adopting are being successful in protecting personal data and adjust them if needed, according to the availability of the technological and legislative tools.

For instance, monitoring and improving your privacy compliance plan can be much more easily done by using an accessible, easy to understand automated software while having support from a legal expert.