In order to adapt it to the new General Data Protection Law (Law №13,709/2018 — LGPD), a Brazilian legislation that regulates personal data processing activities, it was a real 100-meter race to achieve its goal: adequacy. To adequate the personal data protection legislation, generally only the minimum requirements are considered, since the vast majority of the business scenario has few resources, financial or time-related, to be adequate. However, only adequacy is not enough, companies need to increase their maturity level, over time, in a stable curve providing greater security for the market, obtaining a competitive edge. Finally, maturity of privacy protection is important, as it distances the company from penalties by the national data protection agency (ANPD), which is still under construction.
Among the biggest challenges of modern business risk management is the protection of the privacy of employees, suppliers and, especially, customers. As consumers, we are concerned with what information is used and how. This concern, plus the specific regulation, creates an obligation binomial for companies: to meet their customers’ expectations, and, if they don’t, to be severely punished by the State. We know that the sanctions are heavy: reputation damage due to the publication of infractions, fines in the amount of up to fifty million reais, total or partial database shutdown, among others.
Most organizations have already understood these needs, their deployment is already on the agenda of many directors’ meetings. The real challenge for companies that have already reached the implementation maturity level is to support these good practices. This support will generally take place through the data protection officer, or better known by the acronym associated with the European regulation on personal data protection: DPO — Data Protection Officer.
Maintaining the DPO is a challenge in itself. Combining the skills necessary for a good DPO in a single professional is a very rare event, because in very few scenarios there will be professionals who are used to issues of technology, Law, and compliance in a single person. Thus, these gaps are filled by several professionals, naturally, changing the “O” in DPO, to office, from personal data protection officer to personal data protection office.
However, the challenge does not end there. Maintaining such specialized professionals is often too expensive, constantly enabling outsourcing of this role.
The DPO, close to the management board of the company for which it operates, will need to highlight the most diverse measures to support the environment of respect for privacy, by the company: procedures to meet data holders’ requests; procedures to meeting ANPD’s request; preparation of Data Privacy Impact Assessments — DPIA; acculturation of the company, among others, including a privacy and audit risk management routine.
An audit, and consequently, an auditor, should consider topics such as the roles in privacy protection, privacy risk management; privacy protection controls, and key risks and their actions, without prejudice to all other needs. The current scenario of personal data privacy and protection allows auditors to be active participants, helping the organization to understand and deal with privacy risk issues.
Management’s failure to properly address personal information protection poses several risks to the organization, including high-value, million-dollar financial losses, whether due to reputation damage, loss of contracts and customers, or direct fines imposed byANPD. In any privacy protection framework, at least the questions below must be taken into consideration, in addition to others adaptable to the audited organization.
First, it is absolutely necessary to consider privacy controls. Providing adequate governance and supervision by “C level’s”, directors and managers (i.e., tone at the top) is an essential control to address privacy risks faced by the organization. It is necessary to check, through the auditor, if there is an incentive for the business class to address how the organization manages, controls, and protects the personal data it collects about customers and employees.
It is also important to check if the organization evaluates the compliance and personal data handling practices and weaknesses, comparing them with internal policies, laws and regulations, and best market practices.
All these points can be audit targets, where auditors can contribute to better governance, playing a role that brings the reality of the organization closer to its objectives, that is, mapping the current scenario (AS IS) and pointing out the gaps. Some of these specific activities are working with the legal department to make sure that applicable privacy laws and regulations are taken into consideration. Working with the information technology department and business process owners to assess whether information security and data protection controls are in place and regularly reviewed. Conducting privacy risk assessments or reviewing the effectiveness of policies, privacy practices, and controls across the organization. Identifying the types of personal data collected, the collection methodology used and whether the use of the information by the organization is in accordance with the intended use. Reviewing data flow policies, procedures and guidelines. Reviewing data processing procedures designed to protect the privacy of personal data, with a focus on identifying potential opportunities to standardize data protection practices across the organization. Conducting an assessment of service providers, including a review of procedures. Reviewing current training practices and materials, and inventory of required awareness and training.
Thus, we can say, in the last analysis, that privacy protection goes beyond the LGPD adaptation project, however privileged and necessary it may be. The privacy and audit risks management is just one of the many facets required for the privacy protection environment to maintain an adequate maturity, being extremely important and relevant.
BRAZIL, General Data Protection Law (2018), CHAPTER VIII SURVEILLANCE, Art. 52: