LGPD: how did it appear and what are the rules of the General Data Protection Law
Right now, millions of people are online and sharing their personal information in various digital environments. Whether to buy, study, work, publish photos and videos, play games, listen to music, or pay bills, it is necessary to share personal data such as e-mail, number of documents or credit cards.
But, after all, what happens with this and how to ensure that this material is safe? This is exactly what is regulated by Law 13,709, the General Data Protection Law (LGPD).
How did the LGPD appear and what are its objectives?
The LGPD was inspired by the European Union's General Data Protection Regulation (GDPR) and establishes clear rules on how companies and government entities must collect, store, use, and share citizen data.
As of this sanction, the use of any personal information, from the most basic, such as name and e-mail, to health data, must fall under the new law - and fines for non-compliance can reach R$ 50 million.
Transparency and monitoring of the LGPD
When filling out a form or providing personal data in any other way, it is essential that the data subject is informed of the reason for the processing and what will be done with this information. To this end, controllers, those who receive this data, must make a privacy notice available to data subjects – which is the transparency tool in data processing.
In this sense, the LGPD provides certain guarantees to citizens, such as: being able to request that their personal data be deleted; revoke consent; transfer data to another service provider, among other actions.
To monitor and apply penalties in cases of non-compliance with the General Data Protection Law in Brazil, the responsible body is the National Authority for the Protection of Personal Data (ANPD).
What are the rules of the General Data Protection Act?
Purpose: Personal data must be collected and used only for specific, legitimate and explicit purposes, informed to the owner at the time of collection.
Adequacy: Data processing must be compatible with the purposes for which they were collected and cannot be used excessively or inappropriately.
Free Access: The owners have the right to access the information they have about them, and can obtain information about the processing and purpose of the data.
Data Quality: Personal data must be accurate, clear, and up-to-date to ensure that it is correct and complete.
Security: Security measures must be implemented to protect personal data against unauthorized access, leaks, and other forms of inappropriate treatment.
Prevention: Preventive practices and measures must be adopted to avoid the occurrence of damages and risks to the data subject.
Non-Discrimination: Personal data cannot be used for discriminatory, illegal, or abusive practices.
Accountability and Accountability: Companies must demonstrate that they comply with the LGPD by implementing policies and practices that guarantee data protection.
Transparency: Information about data processing must be clear and accessible to data subjects, who must be informed about how and for what their data is being used.
Impacts of the LGPD on society and companies
The General Data Protection Law goes beyond a set of regulations. It signals a significant change in the way society deals with privacy and security in the digital age.
Its impacts are not limited to legal obligations, but also affect people's interaction with technology and with the processing of personal data. However, for this, citizens must be aware of the rules provided by the companies that process their data, and must be aware of their rights and how to exercise them.
At any time during the relationship with the institution, it is possible to request information about what data is being collected and how it is being used.
Companies, on the other hand, must implement an internal compliance structure and policy to properly treat their clients' data. This is true for both public and private sector entities.
To ensure that the process takes place properly, the LGPD defines three important roles in organizations:
To ensure compliance with the LGPD, it is recommended that companies create a committee to develop internal policies, define goals, and draw up data protection management plans. This includes emergency plans to manage crises involving security and privacy. In cases of information leak, both the customer and the regulatory agency must be notified quickly and efficiently.
Additionally, employees of the parent organization need to be aware of the procedures related to the LGPD. Therefore, it is essential that they are trained on the new legislation and on how data will be processed within the company.
LGPD at Neoenergia
The implementation of the law marks a significant advance in the maturity of organizations and data subjects regarding the protection of personal data, both by clearly establishing duties and rights and by increasing the maturity of personal data protection and cybersecurity processes.
To comply with the law, Neoenergia followed a plan divided into three phases: mapping and definition of action plans; implementation of defined plans and adjustments to the data processing catalog; and improvement of the governance model.
The first stage included the creation of the Register of Data Processing Actions, a comprehensive catalog that documents all data processing carried out by the company, including the legal basis and other pertinent information.
After the mapping, Neoenergia published privacy notices on its websites, established channels so that the owners can exercise their rights, and initiated a training process to foster a culture of personal data protection among its employees, in addition to adjusting its internal processes.
Currently, data subjects (customers, visitors, etc.) whose data is processed by the Neoenergia Group can access the Privacy Policy/Notices page on the company's websites. The organizational structure to handle personal data security has already been established, starting with the DPO (Data Protection Officer) and extending to 84 Data Protection Officers, in addition to 52 Data Protection Officers, in the various areas of the company. In addition, the Cybersecurity, Personal Data Protection and Incident Handling regulations have been reviewed and updated to ensure greater compliance with the LGPD.
The company continues to improve its governance and personal data protection model on an ongoing basis, including adjustments to the Incident Handling Framework, which defines internal rules for dealing with data leaks and other cybersecurity incidents.
News
2024-11-07
Neoenergia prevê investimento de R$ 4,7 milhões em eficiência energética em instituições de Ensino Federal até 2025
2024-11-01
Portaria autoriza projeto de descarbonização em Fernando de Noronha pela Neoenergia
2024-11-01
ENEM 2024: Neoenergia tem operação especial nas cinco distribuidoras
2024-10-30
Neoenergia Elektro é considerada a melhor empresa para trabalhar no interior de São Paulo
2024-10-25