Privacy programmes as a catalyst for corporate governance
After the arrival of the European Union’s (EU) General Data Protection Regulation (GDPR) and Brazil’s subsequent, broadly equivalent, General Data Protection Law (LGPD), many businesses implemented privacy programmes to protect the personal data of their customers, employees, and partners. Amanda Israel Fraga, Partner and Compliance Director, Russell Bedford, Brazil reports
Both pieces of legislation have the common objective of raising the profile of data protection and the importance of protecting people’s data. This brings Brazil into line with the many other countries that already carefully protect people’s data and preserve privacy.
Amanda Israel Fraga
Partner and Compliance Director
Russell Bedford Brazil
The purpose of Brazil’s LGPD
Brazil’s LGPD regulates how personal data must be protected. This legislation has revolutionised business relationships by empowering the holder of the data while simultaneously leaving decisions about how businesses use data in the hands of the individual. This brings Brazil into line with the global trend towards creating rules for the protection of data. Importantly, observing privacy, and maintaining relations with other developed countries, is a prerequisite of the agreement between Mercosur (the South American trade bloc) and the EU, as well as Brazil’s entry to The Organisation for Economic Cooperation and Development (OECD).
LGPD places an obligation on businesses: they must treat personal data securely whether it relates to employees, customers, partners or suppliers. Businesses must observe the rights of the data subject and can only use data for specific purposes and only the data necessary to perform a specific activity. To meet these obligations, a business must have a detailed understanding of its own internal processes so it can develop rules and policies that ensure compliance with data protection requirements. Staff training is also important to create a shift in culture to one where employees are conscious of the need to both protect personal data and use it correctly.
Implementing a privacy programme
Businesses implementing privacy programmes have often found it to be a springboard for developing wider compliance and corporate governance programmes. The mandatory requirements of the legislation have caused businesses to:
- create internal rules that protect the personal data held in databases
- implement new policies that come from the top and filter down the corporate structure
- raise awareness among employees of the importance of secure and ethical data-processing.
The legislation requires that businesses take both technical and administrative steps to ensure the protection of personal data. This means:
- a risk management exercise to establish existing strengths and weaknesses in compliance
- implementing IT solutions to avoid data breaches
- mapping and strengthening internal processes
- creating and updating policies, contracts, manuals, and codes of ethics and conduct.
Implementing an effective privacy programme needs a specialised team with multidisciplinary expertise, developed and supported by internal compliance and corporate governance functions.
Complying with LGPD
Complying with the legislation presents a challenge in itself but it brings benefits too. A compliant business stands out from the competition and presents an image of sustainability and corporate governance to stakeholders and customers alike. Overcoming compliance challenges means following corporate governance principles such as monitoring and risk mapping, with transparency, fairness, and corporate social responsibility.
Any compliance programme aimed at promoting corporate governance must also meet digital compliance requirements. These involve not only data security but also issues around:
- artificial intelligence
- Internet of Things
- managing security incidents
All areas of compliance feature under the broad heading of corporate governance, whether designed to aid business activity or to counter unethical or illegal practices.